In a recent cybersecurity investigation, experts from Kaspersky uncovered a novel malware leveraging NKN technology, a decentralized, blockchain-based networking protocol known for its emphasis on privacy. This malware, named NKAbuse, was found to have potential victims in Colombia, Mexico, and Vietnam, as identified by the Kaspersky Security Network.

NKAbuse is a multifunctional implant, functioning both as a backdoor/RAT and a flooder. In its role as a backdoor/RAT, it provides illicit access to infected systems, allowing attackers to secretly execute commands, exfiltrate data, and monitor user activities, which is particularly useful for espionage. As a flooder, it can launch severe DDoS attacks, targeting servers or networks and causing significant operational disruptions.

The malware boasts advanced capabilities such as screenshot capture, file management, system and network information retrieval, and command execution. It communicates the gathered data to its controller using the NKN network, utilizing decentralized communication for stealthy and efficient data transmission.

NKAbuse infiltrates systems by exploiting the older RCE vulnerability CVE-2017-5638. Once it gains access, the malware downloads and executes an implant from a temporary directory. To maintain its presence, it creates a cron job and embeds itself in the host’s home folder.

Lisandro Ubiedo, a Security Researcher at Kaspersky’s GReAT, highlighted the implant’s sophisticated use of the NKN protocol for decentralized, anonymous operations, leveraging blockchain features for covert communication. This method makes detection and countermeasures more challenging.

The malware’s use of the Go programming language ensures cross-platform compatibility, targeting a range of operating systems and architectures, including Linux and IoT devices. Go enhances network application performance and simplifies deployment due to its ability to create standalone binaries.