NKAbuse: Go-Powered Malware Floods & Hacks, Targets Linux & Beyond

In the ever-evolving landscape of cyber threats, a new multiplatform menace has emerged, shaking the foundations of digital security. Dubbed “NKAbuse,” this novel threat harnesses the power of the NKN (New Kind of Network) protocol, marking a significant shift in the tactics used by cybercriminals. Kaspersky’s Global Emergency Response Team (GERT) delves into the intricate workings of NKAbuse, its implications, and the challenges it presents.

NKN data routing diagram

NKAbuse, discovered by Kaspersky’s Global Emergency Response Team (GERT) and GReAT, is a sophisticated malware that leverages NKN technology for peer-to-peer data exchange. Written in Go, it is highly adaptable and capable of generating binaries for various architectures. Its primary targets are Linux desktops, but its versatility also makes IoT devices vulnerable, especially those running MISP and ARM systems.

The malware infiltrates systems by uploading an implant to the victim’s host, establishing persistence through a cron job, and nesting in the host’s home folder. Its capabilities are extensive, ranging from flooding to backdoor access, culminating in full remote administration.

NKN, short for “New Kind of Network,” is a peer-to-peer, blockchain-oriented network protocol that emphasizes decentralization and privacy. With over 60,000 nodes, NKN optimizes data transmission by selecting the shortest node trajectories. NKAbuse exploits this protocol for a series of flooding attacks and as a backdoor into Linux systems.

The attack vector is not entirely new. NKAbuse exploits an old vulnerability related to Apache Struts2 (CVE-2017-5638), targeting financial companies. By exploiting this vulnerability, attackers execute commands on the server, leading to the download and installation of the initial malware script.

Once installed, NKAbuse checks the operating system type and downloads the relevant malware implant. The malware ensures its uniqueness in running instances and strategically places itself within the system to avoid detection. It also establishes a structure named “Heartbeat” for regular communication with the bot master, containing vital information about the infected host.

NKAbuse is not just a DDoS tool; it’s a powerful backdoor with remote access trojan (RAT) capabilities. It can capture screenshots, create or remove files, fetch file lists, and gather detailed network interface information. Most notably, it can execute system commands on behalf of the current user, with the output sent to the bot master via NKN.

NKAbuse stands out for its use of less common communication protocols and its integration into a botnet while functioning as a backdoor on specific hosts. Its reliance on blockchain technology ensures reliability and anonymity, hinting at a potential expansion over time without a central controller. However, it lacks self-propagation functionality, relying on vulnerability exploitation for initial infection.

Kaspersky Lab’s telemetry data indicates victims in Colombia, Mexico, and Vietnam, among others. All Kaspersky products detect the threat as HEUR:Backdoor.Linux.NKAbuse.a.

NKAbuse represents a new frontier in cyber threats, combining advanced technology with old vulnerabilities to launch sophisticated attacks. Its multiplatform nature, coupled with the use of blockchain technology, makes it a formidable challenge for cybersecurity experts.