Threat actors target Linux systems due to their prevalence in server environments, and cron jobs offer a discreet means of maintaining unauthorized access over an extended period.
Kaspersky experts discovered “NKAbuse,” a versatile malware using NKN tech for peer data exchange, written in Go with cross-architecture compatibility.
Targeting Linux desktops primarily, it threatens:-
MISP
ARM systems
IoT devices
Infiltrating via implant upload, it establishes persistence through a cron job in the home folder, featuring:-
Flooding
Backdoor access
NKAbuse Malware Attacking Linux Desktops
NKN (New Kind of Network) is a decentralized protocol prioritizing privacy, with more than 60,000 nodes. Featuring diverse routing algorithms, it optimizes data transmission.
Besides this, malware exploits like the (ab)use of NKN’s blockchain protocol enable flooding attacks and Linux system backdoors.
NKN data routing diagram (Source – Securelits) GERT finds evidence indicating a Struts2 ( CVE-2017-5638 ) exploit in an attack on a financial firm. The vulnerability allows command execution via a “shell” header, leading to script download and malware installation on the victim’s device.
The setup process checks the OS type, downloads the second stage (malware), named “app_linux_{ARCH},” and executes it from the /tmp directory.
The malware supports eight architectures, and here below, we have mentioned them:-
386
arm64
arm
amd64
mips
mipsel
mips64
mips64el
Malware NKAbuse, when executed, relocates to /root/.config/StoreService/, retrieves IP via ifconfig.me, and utilizes cron jobs for reboot survival.
It employs NKN protocol for communication, creating an account, and multiclient for concurrent data exchange.
With a handler for bot master messages, NKAbuse executes DDoS attacks, including a unique DNS overflow targeting “{JUNK}.google.com” subdomains.
According to researchers , NKAbuse is not just a DDoS tool but also a highly capable backdoor/RAT that offers various features for maintaining persistence, executing commands, and gathering sensitive information.
Its ability to operate as a backdoor and remotely control infected systems makes it a serious threat to cybersecurity.
It establishes a “Heartbeat” structure for regular communication with the bot master, storing host details, and the capabilities include:-
Taking screenshots
Creating/removing files
Fetching file lists
Listing processes
Running system commands
Sending output via NKN
NKAbuse is a unique cross-platform threat that stands out for its use of uncommon communication protocols. Crafted for botnet integration, it doubles as a host-specific backdoor.
IOCs
Host-based:-
MD5: 11e2d7a8d678cd72e6e5286ccfb4c833
Files created:-
/root/.config/StoreService
/root/.config/StoreService/app_linux_amd64
/root/.config/StoreService/files
/root/.config/StoreService/.cache
The post NKAbuse Malware Attacking Linux Desktops & Use Corn Job for Persistence appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform .
Top News
-
U.K. Hacker Linked to Notorious Scattered Spider Group Arrested in Spain
Law enforcement authorities have allegedly arrested a key member of the notorious cybercrime group called Scattered Spider. The individual, a...
-
Lừa đảo mạo danh ‘nở rộ’ trên không gian mạng và ngày càng tinh vi
Dù hình thức không mới song lừa đảo mạo danh hiện vẫn đang khiến nhiều người dân tại Việt Nam và trên thế giới sập bẫy, bị chiếm đoạt tài sản.
-
Lừa đảo đánh cắp mã OTP tinh vi, tấn công mạng tận dụng lỗ hổng mới
Xuất hiện lừa đảo đánh cắp mã OTP tinh vi; Hacker gia tăng tốc độ tận dụng các lỗ hổng mới,... là những thông tin công nghệ trong nước nổi bật...
-
Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users
Hackers are targeting, attacking, and exploiting ML models. They want to hack into these systems to steal sensitive data, interrupt services, or...
-
Sleepy Pickle - Kỹ thuật tấn công mới nhắm vào các mô hình học máy
Sleepy Pickle là một kỹ thuật tấn công mới lạ và bí mật nhắm vào chính mô hình ML (Machine Learning) thay vì hệ thống cơ bản. {...