SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Kaspersky discovers dual-threat NKAbuse malware in Latin America and Vietnam
Fri, 5th Jan 2024

In a recent digital security response, experts at cyber protection firm, Kaspersky, have discovered a new and potentially devastating malware variant that is leveraging NKN technology - a blockchain-based networking protocol recognised for its peer-to-peer decentralisation and privacy features.

The malicious software, dubbed NKAbuse, is a multiplatform hybrid implant that acts as both a flooder and a backdoor/RAT (Remote Access Trojan), offering a double threat to systems. Kaspersky's analysis unveiled potential victims of the ominous malware in Colombia, Mexico, and Vietnam.

NKAbuse provides attackers with unauthorised access to victims' systems, as a backdoor/RAT, enabling the perpetrator to covertly execute commands, steal data, and monitor activities. This facet of its functionality makes it a powerful tool for spying and data extraction.

At the same time, its deployment as a flooder enables it to launch damaging Distributed Denial of Service (DDoS) attacks, causing system overloads and disruption to targeted servers or networks, something that can cause significant impact on organisational operations.

Aside from these features, the malware also boasts advanced capabilities such as capturing screenshots, managing files, collecting system and network information, and executing system commands. All gathered data is channelled to its controlling botmaster via the covert NKN network using decentralised and efficient communications for evasion and operational efficiency.

Via the exploitation of an outdated RCE vulnerability referred to as CVE-2017-5638, attackers begin the infiltration process, taking control of the compromised systems. Following this, the NKAbuse malware is downloaded onto the victim's host. Ensuring its continuous operation, the implant then establishes system persistence by creating a cron job and situating itself within the host's home folder.

Commenting on this threat, Lisandro Ubiedo, Security Researcher at Kaspersky's GReAT, noted, "The implant's use of the NKN protocol underlines its advanced communication strategy, enabling decentralised, anonymous operations and leveraging NKN's blockchain features for efficient, stealthy communication between infected nodes and C2 servers. This approach complicates detection and mitigation efforts."

NKAbuse's programming language of choice, Go, grants it cross-platform compatibility, permitting the malware to target diverse operating systems and architecture. This crosses the gamut from Linux desktops to IoT devices, enhancing performance, especially within networked applications.

Furthermore, it facilitates efficient and concurrent processing, with the power to create self-contained binaries bolstering deployment and robustness.

To counter the emerging risks of this sophisticated cyber threat, Kaspersky's team of experts propose a range of measures.

These include regularly updating operating systems, applications and antivirus software; providing the Security Operations Centre (SOC) team with access to the latest threat intelligence; upskilling the cybersecurity team; implementing endpoint level detection software, and investigating alerts and threats with Incident Response and Digital Forensics services.