NKAbuse Malware Exploits NKN Blockchain for Stealthy Operations

December 14, 2023

NKAbuse, a new multi-platform malware, is the first to exploit the NKN (New Kind of Network) technology for data exchange, making it a covert threat. NKN is a fairly recent decentralized P2P network protocol that uses blockchain technology to manage resources and ensure a secure and transparent model for network operations. It aims to enhance data transmission speed and latency across the network by determining efficient data packet travel paths. As with the Tor network, individuals can contribute to the NKN network by running nodes. Currently, the network consists of approximately 60,710 nodes. This large number of nodes adds to the network's robustness, decentralization, and capacity to handle substantial data volumes.

The discovery of NKAbuse was reported by Kaspersky. The malware primarily targets Linux desktops in Mexico, Colombia, and Vietnam. NKAbuse has also been found to exploit an old Apache Struts vulnerability (CVE-2017-5638) to attack a financial company. While most attacks are directed at Linux computers, the malware can also compromise IoT devices and supports MIPS, ARM, and 386 architectures.

NKAbuse leverages NKN to initiate DDoS (distributed denial of service) attacks that are difficult to trace back to a specific infrastructure and are unlikely to be flagged as they originate from a new protocol not actively monitored by most security tools. Kaspersky explains, "This threat (ab)uses the NKN public blockchain protocol to carry out a large set of flooding attacks and act as a backdoor inside Linux systems." In particular, the malware client communicates with the bot master via NKN to send and receive data. Its ability to maintain multiple concurrent channels enhances the resilience of its communication line. The payload commands sent by the C2 include HTTP, TCP, UDP, PING, ICMP, and SSL flood attacks targeted at a specific victim. Kaspersky adds, "All these payloads historically have been used by botnets, so, when combined with the NKN as the communication protocol, the malware can asynchronously wait for the master to launch a combined attack."

Besides its DDoS capabilities, NKAbuse also functions as a remote access trojan (RAT) on compromised systems, enabling its operators to execute commands, exfiltrate data, and capture screenshots. This wide range of capabilities, which make NKAbuse highly adaptable and versatile, is not common in the DDoS botnet space. Moreover, the use of blockchain technology that ensures availability and masks the source of the attacks makes defending against this threat extremely challenging.

Latest News

• Russian APT29 Hackers Exploiting TeamCity Servers Since September: CISA
• Critical Apache Struts Vulnerability Targeted by Hackers Using Public Proof-of-Concept
• Sophos Backports Critical Vulnerability Fix for EOL Firewall Firmware
• Microsoft's December 2023 Patch Tuesday Addresses 34 Vulnerabilities, Including an AMD Zero-Day
• Critical RCE Vulnerability in WordPress Backup Migration Plug-in Puts Thousands of Websites at Risk