NKAbuse Malware Attacking Linux Desktops & Use Corn Job for Persistence

Threat actors target Linux systems due to their prevalence in server environments, and cron jobs offer a discreet means of maintaining unauthorized access over an extended period.

Kaspersky experts discovered “NKAbuse,” a versatile malware using NKN tech for peer data exchange, written in Go with cross-architecture compatibility. 

Targeting Linux desktops primarily, it threatens:-

• MISP
• ARM systems
• IoT devices

Infiltrating via implant upload, it establishes persistence through a cron job in the home folder, featuring:-

• Flooding
• Backdoor access

NKAbuse Malware Attacking Linux Desktops

NKN (New Kind of Network) is a decentralized protocol prioritizing privacy, with more than 60,000 nodes. Featuring diverse routing algorithms, it optimizes data transmission. 

Besides this, malware exploits like the (ab)use of NKN’s blockchain protocol enable flooding attacks and Linux system backdoors.

GERT finds evidence indicating a Struts2 (CVE-2017-5638) exploit in an attack on a financial firm. The vulnerability allows command execution via a “shell” header, leading to script download and malware installation on the victim’s device. 

The setup process checks the OS type, downloads the second stage (malware), named “app_linux_{ARCH},” and executes it from the /tmp directory.

The malware supports eight architectures, and here below, we have mentioned them:-

• 386
• arm64
• arm
• amd64
• mips
• mipsel
• mips64
• mips64el

Malware NKAbuse, when executed, relocates to /root/.config/StoreService/, retrieves IP via ifconfig.me, and utilizes cron jobs for reboot survival. 

It employs NKN protocol for communication, creating an account, and multiclient for concurrent data exchange. 

With a handler for bot master messages, NKAbuse executes DDoS attacks, including a unique DNS overflow targeting “{JUNK}.google.com” subdomains.

According to researchers, NKAbuse is not just a DDoS tool but also a highly capable backdoor/RAT that offers various features for maintaining persistence, executing commands, and gathering sensitive information.

Its ability to operate as a backdoor and remotely control infected systems makes it a serious threat to cybersecurity.

It establishes a “Heartbeat” structure for regular communication with the bot master, storing host details, and the capabilities include:-

• Taking screenshots
• Creating/removing files
• Fetching file lists
• Listing processes
• Running system commands
• Sending output via NKN

NKAbuse is a unique cross-platform threat that stands out for its use of uncommon communication protocols. Crafted for botnet integration, it doubles as a host-specific backdoor.

IOCs

Host-based:-

• MD5: 11e2d7a8d678cd72e6e5286ccfb4c833

Files created:-

• /root/.config/StoreService
• /root/.config/StoreService/app_linux_amd64
• /root/.config/StoreService/files
• /root/.config/StoreService/.cache