A newly discovered malware, named NKAbuse, is utilizing NKN (New Kind of Network) blockchain technology for communication. NKN is a decentralized, peer-to-peer network connectivity protocol. NKAbuse is described as a potent implant with flooder and backdoor capabilities, utilizing the NKN technology for data exchange between peers.
NKN, with over 62,000 nodes, is known for its software overlay network built on top of the existing internet, allowing users to share unused bandwidth and earn token rewards. The malware is implemented in the Go programming language and is primarily targeting Linux systems, including IoT devices. NKAbuse leverages the NKN protocol for command-and-control purposes, allowing threat actors to conduct distributed denial-of-service (DDoS) attacks.
One identified instance of NKAbuse involved the exploitation of a six-year-old critical security flaw in Apache Struts (CVE-2017-5638) to breach a financial company. Upon successful exploitation, the malware delivers an initial shell script that downloads the implant from a remote server. Notably, NKAbuse lacks a self-propagation mechanism and needs to be delivered through another initial access pathway, such as exploiting security flaws.
The malware also uses cron jobs to survive reboots, requiring root access. NKAbuse includes various backdoor features, enabling it to send periodic heartbeat messages to the bot master, capture screenshots, perform file operations, and execute system commands. The use of blockchain technology in NKAbuse ensures reliability and anonymity, potentially allowing the botnet to expand steadily over time without an identifiable central controller. The co-founder of NKN expressed surprise at the misuse of NKN and is reportedly working to understand the report for potential collaborative efforts to enhance internet safety.
