Kaspersky Reveals NKAbuse: Multiplatform Malware with Blockchain

During a recent incident response, Kaspersky experts discovered a novel malware exploiting NKN technology or NKAbuse, a decentralized, blockchain-oriented networking protocol recognized for its peer-to-peer nature and privacy features. The Kaspersky Security Network detected potential victims of this attack in Colombia, Mexico, and Vietnam.

KAbuse stands as a hybrid implant, functioning both as a backdoor/RAT and a flooder, presenting a versatile dual threat. Operating as a backdoor/RAT, NKAbuse grants unauthorized access to victims' systems, facilitating covert command execution, data theft, and activity monitoring—particularly valuable for espionage and data exfiltration. Simultaneously, in its flooder role, it can initiate destructive Distributed Denial of Service (DDoS) attacks, overwhelming and disrupting targeted servers or networks, significantly impacting organizational operations. This dual functionality underscores NKAbuse's adaptability, posing a comprehensive threat to both system integrity and operational continuity.

The malware exhibits advanced functionalities, including the capture of screenshots, file management, retrieval of system and network information, and execution of system commands. Utilizing the NKN network, it discreetly transmits all collected data to its botmaster, employing decentralized communications for a covert and efficient operation. This sophisticated set of features underscores the malware's ability to discreetly gather information and execute commands while leveraging decentralized communication channels to maintain stealth and operational efficiency.

NKAbuse initiates its infiltration by exploiting the dated Remote Code Execution (RCE) vulnerability CVE-2017-5638, providing attackers with control over the compromised systems. Subsequently, the malware downloads an implant onto the victim's host, initially locating it in a temporary directory for execution. To ensure sustained operation within the system, NKAbuse establishes persistence by creating a cron job and situating itself within the host's home folder. This methodical approach allows the malware to maintain a foothold on the affected system, emphasizing the significance of the initial vulnerability exploitation and the subsequent steps taken to embed and fortify its presence on the compromised host.

“The implant’s use of the NKN protocol underlines its advanced communication strategy, enabling decentralized, anonymous operations and leveraging NKN’s blockchain features for efficient, stealthy communication between infected nodes and C2 servers. This approach complicates detection and mitigation efforts. I would like to commend the Kaspersky GERT team for their exceptional effort in identifying this sophisticated threat,” says Lisandro Ubiedo, Security Researcher at Kaspersky’s GReAT.

Opting for Go as its programming language empowers NKAbuse with cross-platform compatibility, enabling it to target a diverse array of operating systems and architectures, encompassing Linux desktops and Internet of Things (IoT) devices. Go's utilization amplifies the implant's performance, especially in networked applications, facilitating efficient and concurrent processing. Additionally, Go's capability to generate self-contained binaries streamlines deployment processes and augments robustness, rendering NKAbuse a potent and versatile tool in the landscape of cybersecurity threats. This strategic choice of programming language not only broadens the scope of potential targets but also enhances the malware's capabilities, emphasizing its adaptability, efficiency, and resilience in the face of diverse cybersecurity environments.