Member
- Joined
- Oct 14, 2023
- Messages
- 225
- Thread Author
- #1
The distributed nature of the blockchain makes it possible to effectively mask malicious activity.
Kaspersky Lab recently discovered a new feature-rich malware called NKAbuse, which uses the decentralized NKN communication protocol to exchange data between infected devices.
NKN is described as a software overlay network built on top of the classic Internet, which allows users to share unused bandwidth and receive rewards in tokens for this. It includes a blockchain layer above the existing TCP/IP protocol stack.
Although it is known that attackers often use new communication protocols to monitor and manage malware to avoid detection, NKAbuse integrates blockchain technology to conduct DDoS attacks and function as an implant in compromised systems.
In particular, it uses the NKN protocol to communicate with the botnet operator and receive / send commands. The malware is implemented in the Go programming language and, apparently, is mainly used to attack Linux systems, including IoT devices.
It is not yet known how widespread these attacks are. However, in one of the cases identified by Kaspersky Lab, attackers used a 6-year-old critical vulnerability in Apache Struts (CVE-2017-5638, CVSS score 10.0) to break into an unnamed financial company.
Successful exploitation of the vulnerability results in loading the initial shell script responsible for downloading the implant from a remote server. The server that hosts the malware contains 8 different versions of NKAbuse to support different CPU architectures.
Another important feature of NKAbuse is the lack of a self-propagation mechanism. In other words, malware delivery to the target system should be carried out exclusively through other attack vectors.
According to the researchers, this program was developed specifically for integration into a botnet. However, it can also be adapted to function as a backdoor on a specific host.
In addition, the use of blockchain technology provides reliability and anonymity, which indicates the potential of this botnet to constantly expand over time in the absence of an identifiable central controller.
Li Zheng, the founder of NKN, said that his team was surprised to learn about the use of their protocol in this way. "We created NKN to provide truly decentralized communications that are secure, confidential, and scalable. We will learn more about this report to work together to make the Internet safe and neutral," Zheng said.
Thus, the emergence of a decentralized communication protocol with blockchain support has opened up new opportunities not only for application developers and ordinary users, but also for cybercriminals. This is definitely a wake-up call that requires close attention from cybersecurity experts. It is possible that malicious exploitation of NKN can be stopped by the joint efforts of the community and specialists, but hacker savvy has repeatedly proved that a workaround can always be found.
Kaspersky Lab recently discovered a new feature-rich malware called NKAbuse, which uses the decentralized NKN communication protocol to exchange data between infected devices.
NKN is described as a software overlay network built on top of the classic Internet, which allows users to share unused bandwidth and receive rewards in tokens for this. It includes a blockchain layer above the existing TCP/IP protocol stack.
Although it is known that attackers often use new communication protocols to monitor and manage malware to avoid detection, NKAbuse integrates blockchain technology to conduct DDoS attacks and function as an implant in compromised systems.
In particular, it uses the NKN protocol to communicate with the botnet operator and receive / send commands. The malware is implemented in the Go programming language and, apparently, is mainly used to attack Linux systems, including IoT devices.
It is not yet known how widespread these attacks are. However, in one of the cases identified by Kaspersky Lab, attackers used a 6-year-old critical vulnerability in Apache Struts (CVE-2017-5638, CVSS score 10.0) to break into an unnamed financial company.
Successful exploitation of the vulnerability results in loading the initial shell script responsible for downloading the implant from a remote server. The server that hosts the malware contains 8 different versions of NKAbuse to support different CPU architectures.
Another important feature of NKAbuse is the lack of a self-propagation mechanism. In other words, malware delivery to the target system should be carried out exclusively through other attack vectors.
According to the researchers, this program was developed specifically for integration into a botnet. However, it can also be adapted to function as a backdoor on a specific host.
In addition, the use of blockchain technology provides reliability and anonymity, which indicates the potential of this botnet to constantly expand over time in the absence of an identifiable central controller.
Li Zheng, the founder of NKN, said that his team was surprised to learn about the use of their protocol in this way. "We created NKN to provide truly decentralized communications that are secure, confidential, and scalable. We will learn more about this report to work together to make the Internet safe and neutral," Zheng said.
Thus, the emergence of a decentralized communication protocol with blockchain support has opened up new opportunities not only for application developers and ordinary users, but also for cybercriminals. This is definitely a wake-up call that requires close attention from cybersecurity experts. It is possible that malicious exploitation of NKN can be stopped by the joint efforts of the community and specialists, but hacker savvy has repeatedly proved that a workaround can always be found.