Kaspersky Uncovers Malware Using Blockchain Technology

Kaspersky’s experts found a new malware that exploits NKN technology, a peer-to-peer, blockchain-oriented networking protocol, known for its decentralization and privacy. Kaspersky Security Network identified potential victims of the attack in Colombia, Mexico, and Vietnam. 

The company noted that the discovered malware is a double threat, as it can act as a backdoor/Remote Access Trojan (RAT) and a flooder at the same time, making it quite versatile. According to Kaspersky, in its backdoor/RAT role, NKAbuse provides attackers with unauthorized access to victims’ systems, enabling the attacker to covertly execute commands, steal data, and monitor activities, which is a valuable feature for espionage and data exfiltration. On the other hand, as a flooder, the malware can carry out harmful Distributed Denial of Service (DDoS) attacks, overwhelming and disrupting specific servers or networks, and thereby causing significant disruptions to organizational operations. 

Among other features, NKAbuse can capture screenshots, manage files, retrieve system and network information, and execute system commands, as well as collect data, which is sent to its botmaster through the NKN network using decentralized communications.  

Once in control, KNAbuse downloads a harmful implant onto the victim's computer. This implant is first put in a temporary directory for execution. To keep operating continuously, NKAbuse sets up a scheduled task and places itself in the host's home folder. “The implant's use of the NKN protocol underlines its advanced communication strategy, enabling decentralized, anonymous operations and leveraging NKN's blockchain features for efficient, stealthy communication between infected nodes and C2 servers. This approach complicates detection and mitigation efforts,” said Lisandro Ubiedo, Security Researcher, Kaspersky. 

Kaspersky noted that owing to its features and that it was created using the Go programming language, NKAbuse can target various operating systems, including Linux desktops and IoT devices. “Go's ability to produce self-contained binaries simplifies deployment and enhances robustness, making NKAbuse a formidable tool in the realm of cybersecurity threats,” reads Kaspersky’s report. 

The company noted all Kaspersky products can identify NKAbuse under the label of HEUR:Backdoor.Linux.NKAbuse.a. To prevent infections from this malware or others, the company recommends the continuous updating of software and antivirus programs. Additionally, it suggests regular updates to the Security Operations Centers (SOC) within organizations, the implementation of Endpoint Detection and Response (EDR) solutions, and thorough investigation of alerts and threats identified by security controls.