Rewterz Threat Alert – NKN Blockchain Technology Exploited by New NKAbuse Malware for DDoS Attacks – Active IOCs

Severity

High

Analysis Summary

Researchers have discovered a new multi-platform malware dubbed NKAbuse utilizing a peer-to-peer, decentralized connectivity protocol called New Kind of Network (NKN) as a channel for communication.

The malware leverages NKN technology for transferring data between peers which functions as an implant and has backdoor capabilities. NKN has more than 62,000 nodes and is a software overlay network that is built on top of the Internet used today to enable users to share unused bandwidth and earn token rewards. It contains a blockchain layer over the already existing TCP/IP stack.

Cybercriminals are known for leveraging new communication protocols for command-and-control (C2) and detection evasion. NKAbuse takes advantage of blockchain technology for performing DDoS attacks and becomes an implant inside infected devices. It uses the protocol to communicate with the bot master to send and receive commands. The malware is made in the Go programming language.

The security analysts said, “Our analysis suggests that the primary target of NKAbuse is Linux desktops. However, in view of its ability to infect MISP and ARM systems, it also poses a threat to IoT devices.”

Researchers are unsure about how widespread the attacks are, but one instance that was identified exploiting a six-year-old vulnerability in Apache Struts tracked as CVE-2017-5638 with a critical CVSS score of 10 to infiltrate a financial company.

After successfully exploiting, it checks the operating system of the compromised system, and the initial shell script is delivered that is responsible for downloading the implant from a remote server. The server has eight different versions of the NKAbuse malware that supports several CPU architectures, namely arm64, i386, arm, mips, amd64, mips64, and mips64el. The malware is not capable of propagating on its own and requires it to be delivered using another initial access pathway like by exploiting vulnerabilities.

NKAbuse can survive rebooting the system by gaining root access. It checks if the current user ID is 0 and proceeds to parse the crontab currently in use and adds itself for every reboot. It comes with a variety of backdoor features to be able to send messages to the bot master periodically that contain screenshots, and system information, run system commands, and perform file operations.

This implant may have been developed for integration into a botnet and adapted to function as a backdoor inside a specific host. The use of blockchain technology makes sure of reliability and stays anonymous to avoid being detected, showing the possible potential of this botnet to expand swiftly over time.

Impact

• Sensitive Information Theft
• Code Execution
• Distributed Denial of Service

Indicators of Compromise

MD5

• 11e2d7a8d678cd72e6e5286ccfb4c833

SHA-256

• 2f2fda8895e69ceabeb1cf566b9a3ae5784657cc84aa07f42311bb5ef776debf

SHA-1

• 9b28c9842febf26841d4e5ce895fcfae90c3f4fb

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Ensure that all systems, software, and applications are up-to-date with the latest security patches. Regularly check for and apply updates to eliminate known vulnerabilities that attackers could exploit.
• Educate employees about phishing emails, social engineering tactics, and safe online behavior. Effective training can reduce the likelihood of users inadvertently initiating an attack.
• Regularly back up critical data and systems to offline or isolated storage. Test the backup restoration process to ensure that it is effective in case of an attack.
• Use strong, unique passwords for your admin accounts. This includes both the admin user and any other accounts with elevated privileges. 
• Delete any user accounts that don’t need administrative privileges.
• Maintain regular backups of your website’s content and database.
• Implement a web application firewall to filter out malicious traffic and protect against common web-based threats. 
• Implement strong access controls, including limiting login attempts and using two-factor authentication (2FA) to enhance login security.
• Deploy strong endpoint protection solutions that include advanced threat detection, behavior monitoring, and real-time protection against malware and ransomware.
• Employ robust email filtering and anti-phishing solutions to detect and prevent malicious attachments and links from reaching user inboxes.
• Conduct regular penetration testing and security assessments to identify vulnerabilities and weaknesses in your network and systems. Address any findings promptly.
• Thoroughly assess third-party vendors and software before integrating them into your environment. Ensure they have strong security practices and adhere to cybersecurity standards.