NKAbuse Malware Attacking Linux Desktops & Use Corn Job for Persistence

Threat actors target Linux systems due to their prevalence in server environments, and cron jobs offer a discreet means of maintaining unauthorized access over an extended period.



Kaspersky experts discovered “NKAbuse,” a versatile malware using NKN tech for peer data exchange, written in Go with cross-architecture compatibility. 



Targeting Linux desktops primarily, it threatens:-



MISP



ARM systems



IoT devices
Infiltrating via implant upload, it establishes persistence through a cron job in the home folder, featuring:-



Flooding 



Backdoor access
NKAbuse Malware Attacking Linux Desktops



NKN (New Kind of Network) is a decentralized protocol prioritizing privacy, with more than 60,000 nodes. Featuring diverse routing algorithms, it optimizes data transmission. 



Besides this, malware exploits like the (ab)use of NKN’s blockchain protocol enable flooding attacks and Linux system backdoors.



NKN data routing diagram (Source – Securelits) GERT finds evidence indicating a Struts2 ( CVE-2017-5638 ) exploit in an attack on a financial firm. The vulnerability allows command execution via a “shell” header, leading to script download and malware installation on the victim’s device. 



The setup process checks the OS type, downloads the second stage (malware), named “app_linux_{ARCH},” and executes it from the /tmp directory.



The malware supports eight architectures, and here below, we have mentioned them:-



386



arm64



arm



amd64



mips



mipsel



mips64



mips64el
Malware NKAbuse, when executed, relocates to /root/.config/StoreService/, retrieves IP via ifconfig.me, and utilizes cron jobs for reboot survival. 



It employs NKN protocol for communication, creating an account, and multiclient for concurrent data exchange. 



With a handler for bot master messages, NKAbuse executes DDoS attacks, including a unique DNS overflow targeting “{JUNK}.google.com” subdomains.



According to researchers , NKAbuse is not just a DDoS tool but also a highly capable backdoor/RAT that offers various features for maintaining persistence, executing commands, and gathering sensitive information.



Its ability to operate as a backdoor and remotely control infected systems makes it a serious threat to cybersecurity.



It establishes a “Heartbeat” structure for regular communication with the bot master, storing host details, and the capabilities include:-



Taking screenshots



Creating/removing files



Fetching file lists



Listing processes



Running system commands



Sending output via NKN
NKAbuse is a unique cross-platform threat that stands out for its use of uncommon communication protocols. Crafted for botnet integration, it doubles as a host-specific backdoor.



IOCs



Host-based:-



MD5: 11e2d7a8d678cd72e6e5286ccfb4c833
Files created:-



/root/.config/StoreService



/root/.config/StoreService/app_linux_amd64



/root/.config/StoreService/files



/root/.config/StoreService/.cache
The post NKAbuse Malware Attacking Linux Desktops & Use Corn Job for Persistence appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform .