NEWS  Security  December 18, 2023  Reading time: 2 Minute(s)

Max (RS editor)

Kaspersky's Global Emergency Response Team (GERT) has exposed a new and sophisticated multiplatform malware threat known as NKAbuse. This malware employs innovative tactics, utilizing the New Kind of Network (NKN) technology, a blockchain-powered peer-to-peer network protocol, to propagate its infection.

The Threat Unveiled

NKAbuse, a Go-based backdoor, operates as a botnet designed to target Linux desktops and potentially IoT devices. This malware enables attackers to launch Distributed Denial of Service (DDoS) attacks and deploy remote access trojans (RATs). What makes NKAbuse particularly formidable is its reliance on the NKN protocol, providing anonymous and reliable data exchange through a decentralized alternative to client-to-server methods.

 NKN DATA TRANSFER ROUTING SYSTEM (IMAGE CREDITS: GERT) 

Operating Mechanism

The botnet leverages the NKN protocol for anonymous data exchange, using over 60,000 active nodes. It executes flooding attacks through official nodes, linking back to its command and control (C2) servers. NKAbuse boasts an extensive arsenal of DDoS attacks and features that transform it into a potent backdoor or RAT. The malware implants a structure called "Heartbeat," regularly communicating with the bot master and storing critical information about the infected host.

Exploiting Vulnerabilities

Kaspersky researchers discovered NKAbuse while investigating an incident in the finance sector. The malware exploits an old Apache Struts 2 vulnerability (CVE-2017-5638), allowing attackers to execute commands on the server. The exploitation involves a publicly available proof of concept exploit, executing a remote shell script to determine the victim's operating system and install a second-stage payload.

Blockchain-Powered Adaptability

NKAbuse showcases a unique adaptability, crafted meticulously for integration into a botnet while being capable of functioning as a backdoor in a specific host. Its use of blockchain technology ensures both reliability and anonymity, hinting at the potential for expansion over time without an identifiable central controller.

"This particular implant appears to have been meticulously crafted for integration into a botnet, yet it can adapt to functioning as a backdoor in a specific host and its use of blockchain technology ensures both reliability and anonymity, which indicates the potential for this botnet to expand steadily over time, seemingly devoid of an identifiable central controller." - Kaspersky’s Global Emergency Response Team

Global Reach and Targets

While NKAbuse's operators are currently focusing on infecting devices in Colombia, Mexico, and Vietnam, cybersecurity researchers suspect its potential for expansion over time. The malware has no self-propagation functionality and can target at least eight different architectures, with Linux being the priority. Successful implantation can lead to severe consequences such as data compromise, theft, remote administration, persistence, and DDoS attacks.

NKAbuse represents a new frontier in malware threats, blending innovative tactics, blockchain technology, and adaptability. As Kaspersky's GERT continues to monitor and analyze this threat, it underscores the critical need for enhanced cybersecurity measures, constant vigilance, and collaboration within the cybersecurity community to mitigate and counter such sophisticated threats effectively. The landscape of cybersecurity is evolving, and understanding and addressing threats like NKAbuse are essential steps in safeguarding digital ecosystems worldwide.

 COVER IMAGE: FREEPIK