The malware utilizes NKN technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities.
NKAbuse infiltrates systems by uploading an implant to the victim host.
The malware establishes persistence through a cron job and installs itself in the host's home folder.
Historically, malware operators have exploited new and emerging communication protocols like NKN to link up with their command-and-control servers or bot masters.
This threatuses the NKN public blockchain protocol to carry out a large set of flooding attacks and act as a backdoor inside Linux systems.
The malware is typically installed on the victim's device by executing a remote shell script that downloads and executes the contents of the setup.
The setup process checks the OS type and, depending on that, it downloads the second stage, which is the actual malware implant.
Once executed, the malware checks if it is the only instance running and moves itself to a safe place instead of remaining in the volatile /tmp directory.
NKAbuse utilizes the NKN protocol to communicate with the bot master and receive/send information.
To do this, the malware implant creates a new account and a new multiclient, which enables it to send and receive data from multiple clients concurrently, increasing the reliability of its communications with the bot master.
The NKN account is created with the default config options, and then the multiclient is initialized with an identifier which in our sample is a 64 character string representing the public key and remote address used by the malware.
NKAbuse setting up the NKN client structure with the help of a hardcoded public key.
As soon as the client is set up and ready to receive and send data, the malware establishes a handler to accept incoming messages sent by the bot master.
NKAbuse contains a large arsenal of Distributed Denial of Service attacks.
All these payloads historically have been used by botnets when combined with the NKN as the communication protocol, the malware can asynchronously wait for the master to launch a combined attack.
NKAbuse has multiple features that turn it into a powerful backdoor or a remote access trojan, not just a DDoS tool.
Another feature of this malware is the ability to make screenshots of the infected machine.
These are executed on behalf of the current user, and the output is sent via NKN to the botmaster.
New cross-platform flooders and backdoors like NKAbuse stand out through their utilization of less common communication protocols.
a. A more detailed analysis of the latest NKAbuse versions is available to customers of our private Threat Intelligence Reports.
This Cyber News was published on securelist.com. Publication date: Thu, 14 Dec 2023 13:13:20 +0000