New NKAbuse malware uses NKN Blockchain technology for DDoS attacks

NKN Blockchain Tech

A new multi-platform threat called NKAbus was discovered using a decentralized, peer-to-peer network connectivity protocol known as NKN (short for New Kind of Network) as a communication channel.

“The malware uses NKN technology for data exchange between peers, functions as a powerful implant and is equipped with both flooder and backdoor capabilities,” says Russian cybersecurity company Kaspersky said in a Thursday report.

NKN, which has more than 62,000 nodes, is described as a “software overlay network built on top of today’s Internet that allows users to share unused bandwidth and earn token rewards.” It includes a blockchain layer on top of the existing TCP/IP stack.

While threat actors are known to take advantage of emerging communications protocols for command-and-control (C2) purposes and evade detection, NKAbuse leverages blockchain technology to launch and operate distributed denial-of-service (DDoS) attacks as an implant in compromised systems. .

Specifically, it uses the protocol to talk to the botmaster and receive/send commands. The malware is implemented in the Go programming language and there is evidence that it is mainly used to distinguish Linux systems, including IoT devices, in Colombia, Mexico and Vietnam.

It is currently unknown how widespread the attacks are, but one case identified by Kaspersky involves the exploitation of a six-year-old critical vulnerability in Apache Struts (CVE-2017-5638, CVSS score: 10.0) to to penetrate a named financial company. .

NKN Blockchain Technology

Successful exploitation is followed by the delivery of an initial shell script responsible for downloading the implant from a remote server, but not before checking the target host’s operating system. The server hosting the malware contains eight different versions of NKAbuse to support different CPU architectures: i386, arm64, arm, amd64, mips, mipsel, mips64, and mips64el.

Another notable aspect is the lack of a self-propagation mechanism, which means that the malware must be delivered to a target via a different initial access path, for example by exploiting security flaws.

“NKAbuse uses cron jobs to survive reboots,” Kaspersky said. “To achieve that, it must be root. It checks if the current user ID is 0 and if so, it continues parsing the current crontab, adding itself for each restart.”

NKAbuse also includes a host of backdoor features that allow it to periodically send a heartbeat message to the botmaster, which contains information about the system, take screenshots of the current screen, perform file operations, and execute system commands.

“This particular implant appears to have been carefully crafted for integration into a botnet, yet can adapt to function as a backdoor in a specific host,” Kaspersky said. “Additionally, the use of blockchain technology guarantees both reliability and anonymity, indicating that this botnet can steadily expand over time, seemingly without an identifiable central controller.”

“We are surprised to see NKN being used in such a way,” Zheng “Bruce” Li, co-founder of NKN, told The Hacker News. “We built NKN to provide true peer-to-peer communications that are secure, private, decentralized, and massively scalable. We’re trying to learn more about the report to see if together we can make the Internet safe and neutral .”


#NKAbuse #malware #NKN #Blockchain #technology #DDoS #attacks

Notify of
Inline Feedbacks
View all comments
Previous Post
Chrome Blocks Third-Party Cookies

Google’s new tracking protection in Chrome blocks third-party cookies

Next Post
PyPI Repository

116 Malware packages found in PyPI Repository infecting Windows and Linux systems

Related Posts