NKAbuse

NKAbuse is a Go-based, multi-platform malware abusing NKN (New Kind of Network) technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities.^[1]^[2]

ID: S1107

ⓘ

Type: MALWARE

ⓘ

Platforms: Linux, macOS, Windows

Version: 1.0

Created: 08 February 2024

Last Modified: 13 April 2024

Techniques Used

Domain	ID		Name	Use
Enterprise	T1090	.003	代理: Multi-hop Proxy	NKAbuse has abused the NKN public blockchain protocol for its C2 communications.^[1]^[2]
Enterprise	T1059	.004	命令与脚本解释器: Unix Shell	NKAbuse is initially installed and executed through an initial shell script.^[2]
Enterprise	T1113		屏幕捕获	NKAbuse can take screenshots of the victim machine.^[2]
Enterprise	T1082		系统信息发现	NKAbuse conducts multiple system checks and includes these in subsequent "heartbeat" messages to the malware's command and control server.^[2]
Enterprise	T1016	.001	系统网络配置发现: Internet Connection Discovery	NKAbuse utilizes external services such as `ifconfig.me` to identify the victim machine's IP address.^[2]
Enterprise	T1498		网络拒绝服务	NKAbuse enables multiple types of network denial of service capabilities across several protocols post-installation.^[2]
Enterprise	T1057		进程发现	NKAbuse will check victim systems to ensure only one copy of the malware is running.^[2]
Enterprise	T1053	.003	预定任务/作业: Cron	NKAbuse uses a Cron job to establish persistence when infecting Linux hosts.^[2]

References

Bill Toulas. (2023, December 14). New NKAbuse malware abuses NKN blockchain for stealthy comms. Retrieved February 8, 2024.

KASPERSKY GERT. (2023, December 14). Unveiling NKAbuse: a new multiplatform threat abusing the NKN protocol. Retrieved February 8, 2024.

NKAbuse

Enterprise Layer

Techniques Used

References