Unveiling NKAbuse: a new multiplatform threat abusing the NKN protocol

During an incident response performed by Kaspersky’s Global Emergency Response Team (GERT) and GReAT, we uncovered a novel multiplatform threat named “NKAbuse”. The malware utilizes NKN technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities. Written in Go, it is flexible enough to generate binaries compatible with various architectures.
在卡巴斯基全球应急响应团队（GERT）和GReAT执行的事件响应中，我们发现了一种名为“NKAbuse”的新型多平台威胁。该恶意软件利用 NKN 技术在对等方之间进行数据交换，充当强大的植入物，并配备洪水和后门功能。它是用 Go 编写的，足够灵活，可以生成与各种架构兼容的二进制文件。

Our analysis suggests that the primary target of NKAbuse is Linux desktops. However, in view of its ability to infect MISP and ARM systems, it also poses a threat to IoT devices.
我们的分析表明，NKAbuse 的主要目标是 Linux 桌面。然而，鉴于它能够感染MISP和ARM系统，它也对物联网设备构成了威胁。

NKAbuse infiltrates systems by uploading an implant to the victim host. The malware establishes persistence through a cron job and installs itself in the host’s home folder. Its capabilities span flooding to backdoor access to remote administration (RAT), offering a range of features.
NKAbuse 通过将植入物上传到受害主机来渗透系统。该恶意软件通过 cron 作业建立持久性，并将自身安装在主机的主文件夹中。它的功能涵盖泛洪到远程管理 （RAT） 的后门访问，提供了一系列功能。

A new kind of network
一种新型网络

NKN, short for “New Kind of Network”, functions as a peer-to-peer (P2P) and blockchain-oriented network protocol that prioritizes decentralization and privacy. The NKN network currently has more than 60,000 official nodes. It offers diverse routing algorithms designed to optimize data transmission by selecting the shortest node trajectory to reach its intended destination.
NKN是“新型网络”的缩写，是一种点对点（P2P）和面向区块链的网络协议，优先考虑去中心化和隐私。NKN网络目前拥有超过60,000个官方节点。它提供了多种路由算法，旨在通过选择最短的节点轨迹来优化数据传输以到达其预定目的地。

NKN data routing diagram NKN数据路由图

Historically, malware operators have exploited new and emerging communication protocols like NKN to link up with their command-and-control servers (C2) or bot masters. This threat (ab)uses the NKN public blockchain protocol to carry out a large set of flooding attacks and act as a backdoor inside Linux systems.
从历史上看，恶意软件运营商利用 NKN 等新兴通信协议与其命令和控制服务器 （C2） 或机器人主服务器连接。这种威胁 （ab） 使用 NKN 公共区块链协议进行大量泛洪攻击，并充当 Linux 系统内部的后门。

A not-so-new attack vector
一个不那么新的攻击媒介

Evidence collected and analyzed by GERT suggests that this attack exploited an old vulnerability related to Struts2 (CVE-2017-5638 – Apache Struts2), targeting a financial company.
GERT 收集和分析的证据表明，此攻击利用了与 Struts2 相关的旧漏洞（CVE-2017-5638 – Apache Struts2），针对一家金融公司。

Log evidence obtained from the exploited WebService
从被利用的 WebService 获取的日志证据

The excerpt from the audit logs shown above is the same as that referenced in the vulhub POC S2-048. The vulnerability allows the attackers to execute commands on the server by passing the command in a header identified as “shell” and sending the instructions to Bash for execution. After the vulnerability is exploited, a command is executed on the system to download the initial script.
上面显示的审核日志摘录与 vulhub POC S2-048 中引用的摘录相同。该漏洞允许攻击者通过在标识为“shell”的标头中传递命令并将指令发送到 Bash 执行，从而在服务器上执行命令。攻击者利用该漏洞后，系统会执行命令下载初始脚本。

A new multiplatform implant
一种新的多平台植入物

The malware is typically installed on the victim’s device by executing a remote shell script that downloads and executes the contents of the setup.sh shell script hosted by the attacker remotely. The setup process checks the OS type and, depending on that, it downloads the second stage, which is the actual malware implant. The implant is downloaded from the same server; it is named “app_linux_{ARCH}”, where “{ARCH}” is the target OS architecture. The downloaded implant is placed into the temporary /tmp directory and then executed. There are eight architectures hosted on that server and supported by the malware:
恶意软件通常通过执行远程 shell 脚本安装在受害者的设备上，该脚本下载并执行攻击者远程托管的 setup.sh shell 脚本的内容。安装过程会检查操作系统类型，并根据该类型下载第二阶段，即实际的恶意软件植入。植入物是从同一台服务器下载的;它被命名为“app_linux_{ARCH}”，其中“{ARCH}”是目标操作系统架构。下载的植入物被放入临时 /tmp 目录中，然后执行。该服务器上托管了八种体系结构，并受恶意软件支持：

• 386
• arm64 arm64的
• arm
• amd64 AMD64的
• mips MIPS系列
• mipsel 米普塞尔
• mips64 MIPS64的
• mips64el MIPS64EL的

This analysis will focus on the amd64 (x86-64) version.
本分析将重点介绍 amd64 （x86-64） 版本。

Once executed, the malware checks if it is the only instance running and moves itself to a safe place instead of remaining in the volatile /tmp directory. The directory chosen by the implant to reside in is /root/.config/StoreService/. Another set of directories created inside that destination path is files and .cache. Then the implant retrieves the infected machine’s IP address by sending a GET request to ifconfig.me, loads the default configuration, which checks if it is located inside the .cache directory and, if not, loads certain hardcoded settings.
一旦执行，恶意软件会检查它是否是唯一正在运行的实例，并将自身移动到安全的地方，而不是保留在易失性 /tmp 目录中。植入程序选择驻留的目录是 /root/.config/StoreService/。在该目标路径中创建的另一组目录是 files 和 .cache。然后，植入程序通过向 ifconfig.me 发送 GET 请求来检索受感染机器的 IP 地址，加载默认配置，检查它是否位于 .cache 目录中，如果不是，则加载某些硬编码设置。

Loading and setting up the default configuration
加载和设置默认配置

This configuration is then saved to a new cache structure, which holds other important repeatedly reused settings, such as the generated private key.
然后，此配置将保存到新的缓存结构中，该结构包含其他重要的重复重用设置，例如生成的私钥。

NKAbuse makes use of cron jobs to survive reboots. To achieve that, it needs to be root. It checks that the current user ID is 0 and, if so, proceeds to parse the current crontab, adding itself for every reboot.
NKAbuse 利用 cron 作业在重新启动后幸存下来。要实现这一点，它需要是 root。它检查当前用户 ID 是否为 0，如果是，则继续解析当前 crontab，并在每次重新启动时添加自身。

A new communication 新的沟通方式

NKAbuse utilizes the NKN protocol to communicate with the bot master and receive/send information. To do this, the malware implant creates a new account and a new multiclient, which enables it to send and receive data from multiple clients concurrently, increasing the reliability of its communications with the bot master.
NKAbuse 利用 NKN 协议与机器人主站通信并接收/发送信息。为此，恶意软件植入物会创建一个新帐户和一个新的多客户端，使其能够同时从多个客户端发送和接收数据，从而提高其与机器人主机通信的可靠性。

The NKN account is created with the default config options, and then the multiclient is initialized with an identifier which in our sample is a 64 character string representing the public key and remote address used by the malware.
使用默认配置选项创建 NKN 帐户，然后使用标识符初始化多客户端，在我们的示例中，该标识符是一个 64 个字符的字符串，表示恶意软件使用的公钥和远程地址。

NKAbuse setting up the NKN client structure with the help of a hardcoded public key
NKAbuse 借助硬编码公钥设置 NKN 客户端结构

As soon as the client is set up and ready to receive and send data, the malware establishes a handler to accept incoming messages sent by the bot master. The handler contains 42 or so cases, each performing different actions depending on the “code” sent, and waits for more messages to arrive.
一旦客户端设置好并准备好接收和发送数据，恶意软件就会建立一个处理程序来接受机器人主服务器发送的传入消息。该处理程序包含 42 个左右的案例，每个案例根据发送的“代码”执行不同的操作，并等待更多消息到达。

NKAbuse contains a large arsenal of Distributed Denial of Service (DDoS) attacks. Below is a list of the flooding payloads.
NKAbuse 包含大量分布式拒绝服务 （DDoS） 攻击。以下是泛洪有效载荷的列表。

All these payloads historically have been used by botnets, so, when combined with the NKN as the communication protocol, the malware can asynchronously wait for the master to launch a combined attack. It is important to note that the last type of payload attack diverts from the others. NKAbuse overflows a DNS server with junk DNS requests (type AAAA), causing it to try to resolve “{JUNK}.google.com” subdomains, where {JUNK} is a randomly generated subdomain name in the 0-9a-zA-Z format.
所有这些有效载荷在历史上都曾被僵尸网络使用，因此，当与 NKN 作为通信协议结合使用时，恶意软件可以异步等待主服务器发起联合攻击。需要注意的是，最后一种类型的有效载荷攻击与其他类型的有效载荷攻击不同。NKAbuse 使用垃圾 DNS 请求（类型 AAAA）溢出 DNS 服务器，导致它尝试解析“{JUNK}.google.com”子域，其中 {JUNK} 是随机生成的子域名，格式为 0-9a-zA-Z。

A new backdoor with RAT capabilities
具有 RAT 功能的新后门

NKAbuse has multiple features that turn it into a powerful backdoor or a remote access trojan (RAT), not just a DDoS tool. In fact, most of the message commands mentioned above are, in one way or another, used for persistence, command execution, or information gathering.
NKAbuse 具有多种功能，可将其变成强大的后门或远程访问木马 （RAT），而不仅仅是 DDoS 工具。事实上，上面提到的大多数消息命令都以某种方式用于持久性、命令执行或信息收集。

The malware implant establishes a structure named “Heartbeat”, which talks to the bot master at regular intervals. It contains a number of other structures that store information about the infected host: the PID, the victim’s IP address, free memory, current configuration, and so on.
恶意软件植入物建立了一个名为“Heartbeat”的结构，该结构定期与机器人主人交谈。它包含许多其他结构，用于存储有关受感染主机的信息：PID、受害者的 IP 地址、可用内存、当前配置等。

Another feature of this malware is the ability to make screenshots of the infected machine. It uses an open-source project to determine the display bounds and then capture an image of the current screen, in order to convert it to PNG and send to the bot master.
该恶意软件的另一个功能是能够对受感染的机器进行屏幕截图。它使用开源项目来确定显示边界，然后捕获当前屏幕的图像，以便将其转换为 PNG 并发送给机器人主节点。

Capturing screenshots 捕获屏幕截图

NKAbuse can also create files with specific content, remove files from the file system, and fetch a file list from a specific path. It can get a list of processes running in the system and even a detailed list of the available network interfaces. Another common feature that makes this implant a full-fledged backdoor is the ability to run system commands. These are executed on behalf of the current user, and the output is sent via NKN to the botmaster.
NKAbuse 还可以创建具有特定内容的文件、从文件系统中删除文件以及从特定路径获取文件列表。它可以获取系统中运行的进程列表，甚至可以获取可用网络接口的详细列表。使该植入程序成为成熟后门的另一个常见功能是能够运行系统命令。这些是代表当前用户执行的，输出通过 NKN 发送给机器人管理员。

A new threat 新威胁

Although relatively rare, new cross-platform flooders and backdoors like NKAbuse stand out through their utilization of less common communication protocols. This particular implant appears to have been meticulously crafted for integration into a botnet, yet it can adapt to functioning as a backdoor in a specific host. Moreover, its use of blockchain technology ensures both reliability and anonymity, which indicates the potential for this botnet to expand steadily over time, seemingly devoid of an identifiable central controller.
虽然相对罕见，但新的跨平台洪水程序和后门（如 NKAbuse）通过使用不太常见的通信协议而脱颖而出。这种特殊的植入物似乎是经过精心制作的，可以集成到僵尸网络中，但它可以适应在特定主机中充当后门。此外，它对区块链技术的使用确保了可靠性和匿名性，这表明该僵尸网络有可能随着时间的推移稳步扩展，似乎没有可识别的中央控制器。

Additionally, it was confirmed that the malware has no self-propagation functionality, which means the initial infection vector is delivered by someone who exploits a vulnerability to deploy the sample.
此外，还确认该恶意软件没有自我传播功能，这意味着初始感染媒介是由利用漏洞部署样本的人提供的。

Our telemetry data shows that there are victims in Colombia, Mexico, and Vietnam. All Kaspersky products detect the threat as HEUR:Backdoor.Linux.NKAbuse.a.
我们的遥测数据显示，哥伦比亚、墨西哥和越南都有受害者。所有 Kaspersky 产品都将威胁检测为 HEUR：Backdoor.Linux.NKAbuse.a。

A more detailed analysis of the latest NKAbuse versions is available to customers of our private Threat Intelligence Reports. With any requests on the subject, please contact [email protected].
我们的私人威胁情报报告的客户可以对最新的 NKAbuse 版本进行更详细的分析。如有任何关于此主题的要求，请联系 [email protected]。

Indicators of compromise
入侵指标

Host-based: 基于主机：

• MD5: 11e2d7a8d678cd72e6e5286ccfb4c833
  MD5：11e2d7a8d678cd72e6e5286ccfb4c833

Files created: 创建的文件：

• /root/.config/StoreService
• /root/.config/StoreService/app_linux_amd64
• /root/.config/StoreService/files
• /root/.config/StoreService/.cache

原文始发于KASPERSKY GERT：Unveiling NKAbuse: a new multiplatform threat abusing the NKN protocol