Incident responders say they've found a new type of multi-platform malware abusing the New Kind of Network protocol.
NKN is an open source protocol that lets users perform a peer-to-peer data exchange over a public blockchain - like a cross between a traditional blockchain and the Tor network.
More than 60,000 official nodes are active and the network's algorithms determine the optimum route for data exchange across those nodes.
It aims to provide a decentralized alternative to client-to-server methods of data exchange while preserving speed and privacy.
Historically, network protocols like NKN have been used by cybercriminals to establish command and control infrastructure - a means to anonymize the malicious traffic sent between the malware and its operator.
Researchers at Kaspersky say they uncovered NKAbuse while looking into an incident at one of its customers in the finance sector.
NKAbuse apparently exploits an old Apache Struts 2 vulnerability and can target eight different architectures, although Linux appears to be the priority.
The incident saw the attackers use a publicly available proof of concept exploit for the Struts 2 flaw, allowing it to execute a remote shell script and determine the victim's operating system, determining which second-stage payload is installed.
Analyzing an example attack with NKAbuse's amd64 version, after initially being placed in the /tmp directory, the implant checks that it's the only instance running and moves to the system's root, then achieves persistence through the use of cron jobs.
To maximize the reliability of the connection to its operator over NKN, the malware creates a new account and multiclient on the network so that it can send and receive data from multiple clients at once.
NKAbuse comes equipped with 12 different types of DDoS attack, all of which are associated with known botnets, Kaspersky says.
NKAbuse's RAT functionality is broad, with attackers being able to do things like take screenshots of the victim's desktop and send the converted PNG file back to the operator, in addition to running system commands, removing files, and fetching a file list from a specified directory, among other tasks.
Implants have been spotted at victim organizations based in Mexico, Colombia, and Vietnam.
This Cyber News was published on go.theregister.com. Publication date: Fri, 15 Dec 2023 14:43:12 +0000