Saturday, May 18, 2024

NKAbuse Malware Attacking Linux Desktops & Use Corn Job for Persistence

Threat actors target Linux systems due to their prevalence in server environments, and cron jobs offer a discreet means of maintaining unauthorized access over an extended period.

Kaspersky experts discovered “NKAbuse,” a versatile malware using NKN tech for peer data exchange, written in Go with cross-architecture compatibility. 

Targeting Linux desktops primarily, it threatens:-

  • MISP
  • ARM systems
  • IoT devices

Infiltrating via implant upload, it establishes persistence through a cron job in the home folder, featuring:-

  • Flooding 
  • Backdoor access

NKAbuse Malware Attacking Linux Desktops

NKN (New Kind of Network) is a decentralized protocol prioritizing privacy, with more than 60,000 nodes. Featuring diverse routing algorithms, it optimizes data transmission. 

Besides this, malware exploits like the (ab)use of NKN’s blockchain protocol enable flooding attacks and Linux system backdoors.

NKN data routing diagram (Source - Securelits)
NKN data routing diagram (Source – Securelits)

GERT finds evidence indicating a Struts2 (CVE-2017-5638) exploit in an attack on a financial firm. The vulnerability allows command execution via a “shell” header, leading to script download and malware installation on the victim’s device. 

The setup process checks the OS type, downloads the second stage (malware), named “app_linux_{ARCH},” and executes it from the /tmp directory.

The malware supports eight architectures, and here below, we have mentioned them:-

  • 386
  • arm64
  • arm
  • amd64
  • mips
  • mipsel
  • mips64
  • mips64el

Malware NKAbuse, when executed, relocates to /root/.config/StoreService/, retrieves IP via ifconfig.me, and utilizes cron jobs for reboot survival. 

It employs NKN protocol for communication, creating an account, and multiclient for concurrent data exchange. 

With a handler for bot master messages, NKAbuse executes DDoS attacks, including a unique DNS overflow targeting “{JUNK}.google.com” subdomains.

According to researchers, NKAbuse is not just a DDoS tool but also a highly capable backdoor/RAT that offers various features for maintaining persistence, executing commands, and gathering sensitive information.

Its ability to operate as a backdoor and remotely control infected systems makes it a serious threat to cybersecurity.

It establishes a “Heartbeat” structure for regular communication with the bot master, storing host details, and the capabilities include:-

  • Taking screenshots
  • Creating/removing files
  • Fetching file lists
  • Listing processes
  • Running system commands
  • Sending output via NKN

NKAbuse is a unique cross-platform threat that stands out for its use of uncommon communication protocols. Crafted for botnet integration, it doubles as a host-specific backdoor.

IOCs

Host-based:-

  • MD5: 11e2d7a8d678cd72e6e5286ccfb4c833

Files created:-

  • /root/.config/StoreService
  • /root/.config/StoreService/app_linux_amd64
  • /root/.config/StoreService/files
  • /root/.config/StoreService/.cache
Website

Latest articles

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...

Millions Of IoT Devices Vulnerable To Attacks Leads To Full Takeover

Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles