Researchers from Kaspersky Lab have uncovered a new unique multi-platform Go-based malware called NKAbuse with the ability to covertly exchange data via the New Kind of Network.
NKN is a relatively new decentralized peer-to-peer network protocol based on blockchain technology for managing resources, maintaining a secure and transparent network operation model.
NKN effectively optimizes the speed of data transmission over the network by implementing a variety of the most efficient data routing algorithms.
Similar to Tor, NKN includes nodes that currently number up to 61 thousand, providing decentralization and privacy.
NKAbuse is primarily targeting Linux desktop PCs in Mexico, Colombia and Vietnam, the researchers said. However, given its ability to infect MISP and ARM systems, it also poses a threat to IoT devices.
One of the observed NKAbuse infections was carried out during an attack on a financial company using an old 10-point Apache Struts vulnerability (CVE-2017-5638).
In addition, NKAbuse is capable of abusing NKN to carry out DDoS attacks, which are quite difficult to track, let alone identify the specific infrastructure involved, since the new protocol is practically out of sight of most security solutions.
Attackers take advantage of the new communication protocol for C2, effectively evading detection. Specifically, the malware client communicates with the bot master via NKN to send and receive data.
Among the payload commands sent by C2 are HTTP, TCP, UDP, PING, ICMP and SSL flood attacks.
In addition to DDoS capabilities, NKAbuse also acts as a RAT on compromised systems, allowing its operators to execute commands, steal data, and take screenshots.
Malware is typically installed on the victim's device by executing a remote shell script.
A notable aspect is that there is no self-propagation mechanism, and persistence is achieved through the use of cron jobs.
According to LK, the implant under study was carefully designed for integration into a botnet, but it can be adapted to work as a backdoor on a specific host.
At the same time, the use of blockchain technology ensures high reliability and anonymity, which indicates the impressive potential for the future development of a botnet that actually operates without an identifiable central controller, which makes protection against this threat very problematic.
Li Zheng, founder of NKN, said his team was surprised to learn of their protocol being used in this way. “We built NKN to enable truly decentralized communications that are secure, private and scalable. We will learn more about this report so that we can work together to make the Internet safe and neutral,” Zheng said.
NKN is a relatively new decentralized peer-to-peer network protocol based on blockchain technology for managing resources, maintaining a secure and transparent network operation model.
NKN effectively optimizes the speed of data transmission over the network by implementing a variety of the most efficient data routing algorithms.
Similar to Tor, NKN includes nodes that currently number up to 61 thousand, providing decentralization and privacy.
NKAbuse is primarily targeting Linux desktop PCs in Mexico, Colombia and Vietnam, the researchers said. However, given its ability to infect MISP and ARM systems, it also poses a threat to IoT devices.
One of the observed NKAbuse infections was carried out during an attack on a financial company using an old 10-point Apache Struts vulnerability (CVE-2017-5638).
In addition, NKAbuse is capable of abusing NKN to carry out DDoS attacks, which are quite difficult to track, let alone identify the specific infrastructure involved, since the new protocol is practically out of sight of most security solutions.
Attackers take advantage of the new communication protocol for C2, effectively evading detection. Specifically, the malware client communicates with the bot master via NKN to send and receive data.
Among the payload commands sent by C2 are HTTP, TCP, UDP, PING, ICMP and SSL flood attacks.
In addition to DDoS capabilities, NKAbuse also acts as a RAT on compromised systems, allowing its operators to execute commands, steal data, and take screenshots.
Malware is typically installed on the victim's device by executing a remote shell script.
A notable aspect is that there is no self-propagation mechanism, and persistence is achieved through the use of cron jobs.
According to LK, the implant under study was carefully designed for integration into a botnet, but it can be adapted to work as a backdoor on a specific host.
At the same time, the use of blockchain technology ensures high reliability and anonymity, which indicates the impressive potential for the future development of a botnet that actually operates without an identifiable central controller, which makes protection against this threat very problematic.
Li Zheng, founder of NKN, said his team was surprised to learn of their protocol being used in this way. “We built NKN to enable truly decentralized communications that are secure, private and scalable. We will learn more about this report so that we can work together to make the Internet safe and neutral,” Zheng said.
