Skip links

NKabuse backdoor harnesses blockchain brawn to hit several architectures

Incident responders say they’ve found a new type of multi-platform malware abusing the New Kind of Network (NKN) protocol.

Dubbed “NKAbuse” by the researchers, the Go-based backdoor offers criminal attackers a range of possibilities, including being able to DDoS or fling remote access trojans (RATs), and leans on NKN for more anonymous yet reliable data exchange.

NKN is an open source protocol that lets users perform a peer-to-peer (P2P) data exchange over a public blockchain – like a cross between a traditional blockchain and the Tor network. More than 60,000 official nodes are active and the network’s algorithms determine the optimum route for data exchange across those nodes.

It aims to provide a decentralized alternative to client-to-server methods of data exchange while preserving speed and privacy. Historically, network protocols like NKN have been used by cybercriminals to establish command and control (C2) infrastructure – a means to anonymize the malicious traffic sent between the malware and its operator.

Researchers at Kaspersky say they uncovered NKAbuse while looking into an incident at one of its customers in the finance sector. NKAbuse apparently exploits an old Apache Struts 2 vulnerability (CVE-2017-5638) and can target eight different architectures, although Linux appears to be the priority.

The incident saw the attackers use a publicly available proof of concept (PoC) exploit for the Struts 2 flaw, allowing it to execute a remote shell script and determine the victim’s operating system, determining which second-stage payload is installed.

Analyzing an example attack with NKAbuse’s amd64 (x86-64) version, after initially being placed in the /tmp directory, the implant checks that it’s the only instance running and moves to the system’s root, then achieves persistence through the use of cron jobs.

To maximize the reliability of the connection to its operator over NKN, the malware creates a new account and multiclient on the network so that it can send and receive data from multiple clients at once.

NKAbuse comes equipped with 12 different types of DDoS attack, all of which are associated with known botnets, Kaspersky says.

“Although relatively rare, new cross-platform flooders and backdoors like NKAbuse stand out through their utilization of less common communication protocols,” the researchers say in the post. 

“This particular implant appears to have been meticulously crafted for integration into a botnet, yet it can adapt to functioning as a backdoor in a specific host. Moreover, its use of blockchain technology ensures both reliability and anonymity, which indicates the potential for this botnet to expand steadily over time, seemingly devoid of an identifiable central controller.”

NKAbuse’s RAT functionality is broad, with attackers being able to do things like take screenshots of the victim’s desktop and send the converted PNG file back to the operator, in addition to running system commands, removing files, and fetching a file list from a specified directory, among other tasks.

So far, implants have been spotted at victim organizations based in Mexico, Colombia, and Vietnam. ®