Security experts have identified a new type of multi-platform malware that exploits the New Kind of Network (NKN) protocol.
Known as “NKAbuse,” this Go-based backdoor provides cybercriminals with various capabilities, including launching DDoS attacks, deploying remote access trojans (RATs), and leveraging NKN for more secure and anonymous data exchange.
NKN is an open-source protocol that enables peer-to-peer (P2P) data exchange over a public blockchain, combining the features of traditional blockchain and the Tor network. The network consists of over 60,000 official nodes, and its algorithms determine the best route for data exchange across these nodes.
NKN aims to offer a decentralized alternative to traditional client-to-server data exchange methods while maintaining speed and privacy. Cybercriminals have historically used network protocols such as NKN to establish command and control (C2) infrastructure, enabling them to anonymize malicious traffic between the malware and its operator.
Researchers at Kaspersky discovered NKAbuse during an investigation of an incident involving a customer in the finance sector. NKAbuse exploits an old Apache Struts 2 vulnerability (CVE-2017-5638) and can target eight different architectures, with a focus on Linux.
The attackers used a publicly available proof of concept (PoC) exploit for the Struts 2 flaw to execute a remote shell script and identify the victim’s operating system, determining the appropriate second-stage payload to install.
Analysis of a sample attack involving NKAbuse’s amd64 (x86-64) version revealed that after being initially placed in the /tmp directory, the implant checks for sole instance running and moves to the system’s root, achieving persistence through the use of cron jobs.
To establish a reliable connection to its operator via NKN, the malware creates a new account and multiclient on the network, allowing it to send and receive data from multiple clients simultaneously.
NKAbuse is equipped with 12 different types of DDoS attacks, all associated with known botnets, according to Kaspersky.
The researchers noted, “Although relatively rare, new cross-platform flooders and backdoors like NKAbuse stand out through their utilization of less common communication protocols.”
NKAbuse’s RAT functionality is extensive, allowing attackers to take screenshots of the victim’s desktop, run system commands, remove files, and fetch a file list from a specified directory, among other tasks.
Incidents involving NKAbuse have been observed at victim organizations in Mexico, Colombia, and Vietnam.