December 15, 2023 at 09:36AM
Researchers have discovered a new multi-platform malware, “NKAbuse,” leveraging the NKN protocol for anonymous and reliable data exchange. The malware exploits an Apache Struts 2 vulnerability and targets various architectures, with a priority for Linux. It offers DDoS attacks and RAT functionality, and has been found in organizations in Mexico, Colombia, and Vietnam.
The meeting notes describe the discovery of a new multi-platform malware, named “NKAbuse,” which exploits the New Kind of Network (NKN) protocol. The malware, a Go-based backdoor, enables criminal attackers to carry out activities such as DDoS attacks, flinging remote access trojans (RATs), and relies on NKN for anonymous yet reliable data exchange.
NKN is an open source protocol facilitating peer-to-peer (P2P) data exchange over a public blockchain, providing a decentralized alternative to client-to-server methods while preserving speed and privacy. However, such network protocols have been historically exploited by cybercriminals for establishing command and control (C2) infrastructure.
NKAbuse was discovered by Kaspersky researchers during an incident investigation in the finance sector. The malware exploits an old Apache Struts 2 vulnerability (CVE-2017-5638) and can target eight different architectures, with Linux being the priority. The attackers were found using a publicly available proof of concept (PoC) exploit for the Struts 2 flaw, enabling the execution of a remote shell script and determining the victim’s operating system for installing the second-stage payload.
The malware, in an example attack with its amd64 (x86-64) version, achieves persistence by moving to the system’s root through the /tmp directory and employing cron jobs. It creates a new account and multiclient on the NKN network to maximize the reliability of its connection to the operator.
NKAbuse is equipped with 12 different types of DDoS attacks, associated with known botnets, and its utilization of less common communication protocols makes it stand out. The malware’s RAT functionality is broad, allowing attackers to carry out various tasks including taking screenshots, running system commands, removing files, and fetching file lists.
Victim organizations in Mexico, Colombia, and Vietnam have been identified as hosting NKAbuse implants. The researchers note the potential for the botnet to expand steadily over time, seemingly devoid of an identifiable central controller due to its reliance on blockchain technology for both reliability and anonymity.