Cybersecurity researchers from Kaspersky’s Global Emergency Response Team (GERT) have identified that the NKAbuse malware is actively targeting devices in Colombia, Mexico, and Vietnam.
Kaspersky’s Global Emergency Response Team (GERT) has discovered a new multiplatform malware threat that uses innovative tactics to hijack victims. The malware, dubbed NKAbuse, uses New Kind of Network (NKN) technology, a blockchain-powered peer-to-peer network protocol to spread its infection.
NKAbuse is a Go-based backdoor used as a botnet to target Linux desktops and potentially IoT devices. The malware allows attackers to launch Distributed Denial of Service (DDoS) attacks or fling remote access trojans (RATs).
It is worth noting that the backdoor relies on NKN for anonymous yet reliable data exchange. For your information, NKN is an open-source protocol that allows peer-to-peer data exchange over a public blockchain with over 60,000 active nodes. It aims to provide a decentralized alternative to client-to-server methods while preserving speed and privacy.
The botnet can carry out flooding attacks using the 60,000 official nodes and links back to its C2 (command & control) servers. It features an extensive arsenal of DDoS attacks and multiple features to turn into a powerful backdoor or RAT.
The malware implant creates a structure called “Heartbeat” that communicates with the bot master regularly. It stores information about the infected host, including the victim’s PID, IP address, free memory, and current configuration.
Kaspersky researchers uncovered NKAbuse while investigating an incident targeting one of its customers in the finance sector. Further examination revealed that NKAbuse exploits an old Apache Struts 2 vulnerability (tracked as CVE-2017-5638).
The vulnerability, as reported by Hackread.com in December 2017, allows attackers to execute commands on the server using a “shell” header and Bash and then execute a command to download the initial script.
NKAbuse leverages the NKN protocol to communicate with the bot master and send/receive information. It creates a new account and multiclient to simultaneously send/receive data from multiple clients.
The NKN account is initialized with a 64-character string representing the public key and remote address. Once the client is set up, the malware establishes a handler to accept incoming messages, which contains 42 cases, each performing different actions based on the sent code.
Researchers observed that attackers exploited the Struts 2 flaw using a publicly available proof of concept exploit. They executed a remote shell script, determining the victim’s operating system and installing a second-stage payload. Using NKAbuse’s amd64 version, the attack achieved persistence through cron jobs.
“This particular implant appears to have been meticulously crafted for integration into a botnet, yet it can adapt to functioning as a backdoor in a specific host and its use of blockchain technology ensures both reliability and anonymity, which indicates the potential for this botnet to expand steadily over time, seemingly devoid of an identifiable central controller.”
Kaspersky’s Global Emergency Response Team (GERT)
NKAbuse has no self-propagation functionality and can target at least eight different architectures, although Linux is the priority. Successful implantation can lead to data compromise, theft, remote administration, persistence, and DDoS attacks.
For now, its operators are focusing on infecting devices in Colombia, Mexico, and Vietnam. However, researchers suspect its potential for expansion over time.
RELATED ARTICLES
- Free Download Manager Site Pushed Linux Password Stealer
- New XorDdos-Linked Linux RAT Krasue Targeting Telecom Firms
- Hamas Hackers Targeting Israelis with New BiBi-Linux Wiper Malware
- Kinsing Crypto Malware Hits Linux Systems via Apache ActiveMQ Flaw
- Looney Tunables Linux Vulnerability Exposes Millions of Systems to Attack