A new multiplatform threat that uses the peer-to-peer NKN network connectivity protocol as a communication channel for launching a range of threats, from distributed denial-of-service attacks to a remote access trojan.
The multiple-threat malware, dubbed NKAbuse, appears to be targeting Linux desktops, though it also can infect Arm and MIPS systems, which makes it a threat to Internet of Things devices, according to researchers with Kaspersky's Global Emergency Response Team.
Cron job is a Linux command that's sued to schedule tasks that will be executed in the future.
If the current user ID on the system is 0, it parses the current crontab and adds itself for every reboot.
NKN was launched in 2018 as a blockchain-based P2P network connectivity protocol that aims to motivate internet users via economic incentives to share network connections and utilize unused bandwidth, according to the company.
NKN boasts of being the largest blockchain network in the world, with 63,642 nodes.
Kaspersky's GERT noted that it prioritizes decentralization and privacy, with algorithms designed to optimized data transition by selecting the shortest node trajectory for reaching its intended destination.
They said that in one case, the malware exploited a six-year-old vulnerability related to Apache Struts2 to attack a financial company they didn't name.
The malware is installed on the target's system through a remote shell script that downloads and executes the implant that is hosted remotely by the attacker.
The malware checks the operating system on the device before downloading the implant.
The server hosting NKAbuse includes eight chip architectures that the malware can support, including i386, two Arm platforms, amd64, and four MIPS architectures - mips, mipsel, mips64, and mips64el.
The malware contains 10 DDoS attacks with different flooding payloads that can be used at the same time.
NKAbuse also comes is a range of backdoor capabilities, with most of the message commands used for keeping persistence in the infected system, executing commands, or gathering information.
The malware talks to the bot master at regular intervals and can store information about the host devices, including the process identifier, the victim's IP address, free memory available, and its current configuration.
It also can take screenshots of the what's on the display, then convert it to a PNG and send it to the bot master.
It will create files with specific content, remote files, and fetch a file list from a specific path, get a list of processes the system is running and a detailed list of available network interfaces.
NKAbuse also can run system commands executed on behalf of the device user, with the output sent through NKN to the bot master.
This Cyber News was published on securityboulevard.com. Publication date: Fri, 15 Dec 2023 18:43:04 +0000