Complex 'NKAbuse' Malware Uses Blockchain to Hide on Linux, IoT Machines

A sophisticated and versatile malware called NKAbuse has been discovered operating as both a flooder and a backdoor, targeting Linux desktops in Colombia, Mexico, and Vietnam.

According to a report this week from Kaspersky, this cross-platform threat, written in Go, exploits the NKN blockchain-oriented peer-to-peer networking protocol. NKAbuse can infect Linux systems, as well as Linux-derived architectures like MISP and ARM — which places Internet of Things (IoT) devices at risk as well.

The decentralized NKN network hosts more than 60,000 official nodes, and employs various routing algorithms to streamline data transmission by identifying the most efficient node pathway toward a given payload's destination.

A Unique Multitool Malware Approach

Lisandro Ubiedo, security researcher at Kaspersky, explains that what makes this malware unique is the use of the NKN technology to receive and send data from and to its peers, and its use of Go to generate different architectures, which could infect different types of systems.

It functions as a backdoor to grant unauthorized access, with most of its commands centering on persistence, command execution, and information gathering. The malware can, for instance, capture screenshots by identifying display bounds, convert them to PNG, and transmit them to the bot master, according to Kaspersky's malware analysis of NKAbuse.

Simultaneously, it acts as a flooder, launching destructive distributed denial of service (DDoS) attacks that can disrupt targeted servers and networks, carrying the risk of significantly impacting organizational operations.

"It is a powerful Linux implant with flooder and backdoor capabilities that can attack a target simultaneously using multiple protocols like HTTP, DNS, or TCP, for example, and can also allow an attacker control the system and extract information from it," Ubiedo says. "All in the same implant."

The implant also includes a "Heartbeat" structure for regular communication with the bot master, storing data on the infected host like PID, IP address, memory, and configuration.

He adds that before this malware went live in the wild, there was a proof-of-concept (PoC) called NGLite that explored the possibility of using NKN as a remote administration tool, but it wasn't as extensively developed nor as fully armed as NKAbuse.

Blockchain Used to Mask Malicious Code

Peer-to-peer networks have previously been used to distribute malware, including a "cloud worm" discovered by Palo Alto Network's Unit 42 in July 2023, thought to be the first stage of a wider cryptomining operation.

And in October, the ClearFake campaign was discovered utilizing proprietary blockchain tech to conceal harmful code, distributing malware like RedLine, Amadey, and Lumma through deceptive browser update campaigns.

That campaign, which uses a technique called "EtherHiding," showcased how attackers are exploiting blockchain beyond cryptocurrency theft, highlighting its use in concealing diverse malicious activities.

"[The] use of blockchain technology ensures both reliability and anonymity, which indicates the potential for this botnet to expand steadily over time, seemingly devoid of an identifiable central controller," the Kaspersky report noted.

Updating Antivirus and Deploying EDR

Notably, the malware has no self-propagation mechanism — instead, it relies on someone exploiting a vulnerability to deploy the initial infection. In the attacks that Kaspersky observed, for instance, the attack chain began with the exploitation of an old vulnerability in Apache Struts 2 (CVE-2017-5638, which is incidentally the same bug used to kick off the massive Equifax data breach of 2017).

Thus, to prevent targeted attacks by known or unknown threat actors using NKAbuse, Kaspersky advises organizations keep operating systems, applications, and antivirus software updated to address known vulnerabilities.

After a successful exploit, the malware then infiltrates victim devices by running a remote shell script (setup.sh) hosted by attackers, which downloads and executes a second-stage malware implant tailored to the target OS architecture, stored in the /tmp directory for execution.

As a result, the security firm also recommends deployment of endpoint detection and response (EDR) solutions for post-compromise cyber-activity detection, investigation, and prompt incident remediation.