NKAbuse

NKAbuse is a Go-based, multi-platform malware abusing NKN (New Kind of Network) technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities.^[1]^[2]

ID: S1107

ⓘ

Type: MALWARE

ⓘ

Platforms: Linux, macOS, Windows

Version: 1.0

Created: 08 February 2024

Last Modified: 13 April 2024

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.004	Command and Scripting Interpreter: Unix Shell	NKAbuse is initially installed and executed through an initial shell script.^[2]
Enterprise	T1498		Network Denial of Service	NKAbuse enables multiple types of network denial of service capabilities across several protocols post-installation.^[2]
Enterprise	T1057		Process Discovery	NKAbuse will check victim systems to ensure only one copy of the malware is running.^[2]
Enterprise	T1090	.003	Proxy: Multi-hop Proxy	NKAbuse has abused the NKN public blockchain protocol for its C2 communications.^[1]^[2]
Enterprise	T1053	.003	Scheduled Task/Job: Cron	NKAbuse uses a Cron job to establish persistence when infecting Linux hosts.^[2]
Enterprise	T1113		Screen Capture	NKAbuse can take screenshots of the victim machine.^[2]
Enterprise	T1082		System Information Discovery	NKAbuse conducts multiple system checks and includes these in subsequent "heartbeat" messages to the malware's command and control server.^[2]
Enterprise	T1016	.001	System Network Configuration Discovery: Internet Connection Discovery	NKAbuse utilizes external services such as `ifconfig.me` to identify the victim machine's IP address.^[2]

References

Bill Toulas. (2023, December 14). New NKAbuse malware abuses NKN blockchain for stealthy comms. Retrieved February 8, 2024.

KASPERSKY GERT. (2023, December 14). Unveiling NKAbuse: a new multiplatform threat abusing the NKN protocol. Retrieved February 8, 2024.

NKAbuse

Enterprise Layer

Techniques Used

References