A newly identified multi-platform threat named NKAbuse has surfaced, employing a decentralized peer-to-peer network connectivity protocol known as NKN (New Kind of Network) for communication. Russian cybersecurity firm Kaspersky detailed the malware's capabilities in a report, describing it as a robust implant with both flooder and backdoor functionalities.

NKN, boasting over 62,000 nodes, functions as a software overlay network on the existing Internet, allowing users to share unused bandwidth and earn token rewards through a blockchain layer on top of the TCP/IP stack. NKAbuse, however, takes advantage of this technology to execute distributed denial-of-service (DDoS) attacks and operate as an implant within compromised systems.

While threat actors commonly exploit emerging communication protocols for command-and-control purposes to elude detection, NKAbuse stands out by leveraging blockchain technology. This malicious software communicates with the bot master using the NKN protocol, implementing the Go programming language. Its primary targets seem to be Linux systems, including IoT devices, particularly in Colombia, Mexico, and Vietnam.

The scale of the attacks remains uncertain, but Kaspersky highlighted an incident involving the exploitation of a six-year-old critical security flaw in Apache Struts (CVE-2017-5638, CVSS score: 10.0) to breach an unnamed financial company. The attack sequence involves the delivery of an initial shell script, responsible for downloading the implant from a remote server after verifying the target host's operating system. The server hosting the malware supports various CPU architectures, featuring eight different versions of NKAbuse.

Notably, NKAbuse lacks a self-propagation mechanism, requiring delivery through an initial access pathway, such as exploiting security flaws. The malware employs cron jobs to persist through reboots, checking the user ID and, if it is root (ID 0), adding itself to the crontab for every reboot.

The malware also incorporates backdoor features enabling it to send periodic heartbeat messages to the bot master, providing system information, capturing screenshots, performing file operations, and executing system commands. Kaspersky emphasizes that NKAbuse is crafted for integration into a botnet but can adapt to functioning as a backdoor on a specific host. The use of blockchain technology ensures reliability and anonymity, hinting at the potential for the botnet to expand steadily over time without an identifiable central controller.

Zheng "Bruce" Li, co-founder of NKN, expressed surprise at the misuse of NKN technology, emphasizing that NKN was designed to offer secure, private, decentralized, and scalable peer-to-peer communication. He expressed a willingness to collaborate with security experts to enhance internet safety.