A novel multi-platform threat called NKAbuse has been discovered using a decentralized, peer-to-peer network connectivity protocol known as NKN (short for New Kind of Network) as a communications channel.
"The malware utilizes NKN technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities," Russian cybersecurity company Kaspersky said in a Thursday report.
NKN, which has over 62,000 nodes, is described as a "software overlay network built on top of today's Internet that enables users to share unused bandwidth and earn token rewards." It incorporates a blockchain layer on top of the existing TCP/IP stack.
While threat actors are known to take advantage of emerging communication protocols for command-and-control (C2) purposes and evade detection, NKAbuse leverages blockchain technology to conduct distributed denial-of-service (DDoS) attacks and function as an implant inside compromised systems.
Specifically, it uses the protocol to talk to the bot master and receive/send commands. The malware is implemented in the Go programming language, and evidence points to it being used primarily to single out Linux systems, including IoT devices, in Colombia, Mexico, and Vietnam.
It's currently not known how widespread the attacks are, but one instance identified by Kaspersky entails the exploitation of a six-year-old critical security flaw in Apache Struts (CVE-2017-5638, CVSS score: 10.0) to breach an unnamed financial company.
Successful exploitation is followed by the delivery of an initial shell script that's responsible for downloading the implant from a remote server, but not before checking the operating system of the target host. The server hosting the malware houses eight different versions of NKAbuse to support various CPU architectures: i386, arm64, arm, amd64, mips, mipsel, mips64, and mips64el.
Another notable aspect is its lack of a self-propagation mechanism, meaning the malware needs to be delivered to a target by another initial access pathway, such as through the exploitation of security flaws.
"NKAbuse makes use of cron jobs to survive reboots," Kaspersky said. "To achieve that, it needs to be root. It checks that the current user ID is 0 and, if so, proceeds to parse the current crontab, adding itself for every reboot."
NKAbuse also incorporates a bevy of backdoor features that allow it to periodically send a heartbeat message to the bot master, which contains information about the system, capture screenshots of the current screen, perform file operations, and run system commands.
"This particular implant appears to have been meticulously crafted for integration into a botnet, yet it can adapt to functioning as a backdoor in a specific host," Kaspersky said. "Moreover, its use of blockchain technology ensures both reliability and anonymity, which indicates the potential for this botnet to expand steadily over time, seemingly devoid of an identifiable central controller."
"We are surprised to see NKN is used in such a way," Zheng "Bruce" Li, co-founder of NKN, told The Hacker News. "We built NKN to provide true peer-to-peer communication that is secure, private, decentralized, and massively scalable. We are trying to learn more about the report to see if together we can make the internet safe and neutral."