A sophisticated and versatile malware called NKAbuse has been discovered operating as both a flooder and a backdoor, targeting Linux desktops in Colombia, Mexico, and Vietnam.
According to a report this week from Kaspersky, this cross-platform threat, written in Go, exploits the NKN blockchain-oriented peer-to-peer networking protocol.
NKAbuse can infect Linux systems, as well as Linux-derived architectures like MISP and ARM - which places Internet of Things devices at risk as well.
The decentralized NKN network hosts more than 60,000 official nodes, and employs various routing algorithms to streamline data transmission by identifying the most efficient node pathway toward a given payload's destination.
A Unique Multitool Malware Approach Lisandro Ubiedo, security researcher at Kaspersky, explains that what makes this malware unique is the use of the NKN technology to receive and send data from and to its peers, and its use of Go to generate different architectures, which could infect different types of systems.
It functions as a backdoor to grant unauthorized access, with most of its commands centering on persistence, command execution, and information gathering.
The malware can capture screenshots by identifying display bounds, convert them to PNG, and transmit them to the bot master, according to Kaspersky's malware analysis of NKAbuse.
Simultaneously, it acts as a flooder, launching destructive distributed denial of service attacks that can disrupt targeted servers and networks, carrying the risk of significantly impacting organizational operations.
He adds that before this malware went live in the wild, there was a proof-of-concept called NGLite that explored the possibility of using NKN as a remote administration tool, but it wasn't as extensively developed nor as fully armed as NKAbuse.
In October, the ClearFake campaign was discovered utilizing proprietary blockchain tech to conceal harmful code, distributing malware like RedLine, Amadey, and Lumma through deceptive browser update campaigns.
Updating Antivirus and Deploying EDR Notably, the malware has no self-propagation mechanism - instead, it relies on someone exploiting a vulnerability to deploy the initial infection.
In the attacks that Kaspersky observed the attack chain began with the exploitation of an old vulnerability in Apache Struts 2.
Thus, to prevent targeted attacks by known or unknown threat actors using NKAbuse, Kaspersky advises organizations keep operating systems, applications, and antivirus software updated to address known vulnerabilities.
After a successful exploit, the malware then infiltrates victim devices by running a remote shell script hosted by attackers, which downloads and executes a second-stage malware implant tailored to the target OS architecture, stored in the /tmp directory for execution.
As a result, the security firm also recommends deployment of endpoint detection and response solutions for post-compromise cyber-activity detection, investigation, and prompt incident remediation.
This Cyber News was published on www.darkreading.com. Publication date: Fri, 15 Dec 2023 18:25:51 +0000