Threat actors target Linux systems because of their prevalence in server environments, and cron jobs provide a discreet means of maintaining unauthorized access for extended periods of time.
Kaspersky Lab experts discovered a versatile malware called NKAbuse written in Go that uses NKN technology for peer data exchange and has cross-architecture compatibility.
It primarily targets Linux desktops and poses the following threats:
- misp
- ARM system
- IoT device
It gets in through an implant upload and establishes persistence through a cron job in the home folder. It has the following characteristics:
NKAbuse malware attacks Linux desktops
NKN (New Kind of Network) is a privacy-first decentralized protocol with over 60,000 nodes. Equipped with diverse routing algorithms to optimize data transmission.
In addition to this, malware exploits, such as the (ab)use of NKN’s blockchain protocols, enable flooding attacks and backdoors into Linux systems.
GERT found evidence of an exploit of Struts2 (CVE-2017-5638) in an attack on a financial company. The vulnerability allows command execution via the “shell” header, which downloads a script and installs malware on the victim’s device.
The setup process checks the OS type and downloads the second stage (malware) named “app_linux_{ARCH}” and runs it from the /tmp directory.
The malware supports eight architectures, which are described below.
- 386
- arm 64
- arm
- amd64
- mip
- Mipsel
- mips 64
- mips64el
Once executed, the malware NKAbuse relocates to /root/.config/StoreService/, obtains an IP via ifconfig.me, and utilizes a cron job to survive reboots.
It employs the NKN protocol for multi-client communication, account creation, and simultaneous data exchange.
NKAbuse uses the bot master message handler to perform a DDoS attack that includes a unique DNS overflow targeting the “{JUNK}.google.com” subdomain.
according to researcherNKAbuse is more than just a DDoS tool; it is a sophisticated backdoor/RAT that provides a variety of features to maintain persistence, execute commands, and collect sensitive information.
Its ability to act as a backdoor and remotely control infected systems makes it a serious threat to cybersecurity.
Establish a “heartbeat” structure for regular communication with the bot master and store host details. It also includes the following features:
- Taking a screenshot
- Create/delete files
- Get file list
- Listing processes
- Executing system commands
- Send output via NKN
NKAbuse is a unique cross-platform threat that stands out due to its use of unusual communication protocols. It is created for botnet integration and can also act as a host-specific backdoor.
IOC
Host based:-
- MD5: 11e2d7a8d678cd72e6e5286ccfb4c833
Created file:-
- /root/.config/StoreService
- /root/.config/StoreService/app_linux_amd64
- /root/.config/StoreService/files
- /root/.config/StoreService/.cache