Threat Research

NKNShell Malware Distributed via VPN Website

Ahnlab
NKNShell Malware Distributed via VPN Website

The Larva-24010 threat actor has been distributing a trojanized installer via a South Korean VPN provider’s website that installs backdoors including MeshAgent, gs-netcat, and a newly identified NKNShell which uses NKN and MQTT for C2. The attack uses PowerShell-based downloaders, AI-assisted code, and persistence mechanisms to maintain access and exfiltrate system information. #NKNShell #MeshAgent

Keypoints

  • The VPN provider’s legitimate installer was trojanized to run a PowerShell downloader that installs additional malware while proceeding with the VPN installation.
  • The threat actor, tracked as Larva-24010, has repeatedly targeted South Korean VPN providers since 2023 and re-used MeshAgent with similar PDB paths.
  • The primary payloads observed are NKNShell (new backdoor), MeshAgent (remote management), and gs-netcat (remote shell via GSRN), with SQLMap used for web scanning in some cases.
  • PowerShell scripts (sql-auto.ps1 and install.ps1) are used to disable defenses (AMSI/ETW), register persistence (WMI filter), and deploy payloads; some scripts show signs of generative AI authorship.
  • NKNShell is a Go-based backdoor using NKN (P2P blockchain-based) and MQTT protocols for C2, generates unique NKN addresses/Client IDs, and transmits detailed system info to attacker-controlled endpoints.
  • NKNShell supports a wide range of commands (file operations, injection, remote execution, DDoS, and more) though some features appear incomplete or not implemented.
  • NKNShell updates via attacker-controlled pages on anonymous blogging platforms (telegra[.]ph family) containing Base64-encoded payload URLs, and MQTT brokers observed include broker.emqx[.]io and broker.hivemq[.]com.

MITRE Techniques

  • [T1071] Application Layer Protocol – NKNShell uses MQTT and NKN protocols for C2 communication (“…uses the NKN and MQTT protocols to communicate with its C&C server…”).
  • [T1105] Ingress Tool Transfer – PowerShell downloaders (sql-auto.ps1, install.ps1) download additional payloads such as MeshAgent, gs-netcat, and NKNShell (“…The ‘sql-auto.ps1’ script acts as a downloader for additional malware…”).
  • [T1055] Process Injection – NKNShell injects into legitimate processes such as Microsoft Edge, Notepad, Calculator, and Paint (“…the NKNShell backdoor executes and injects into Microsoft Edge, Notepad, Calculator, and Paint processes.”).
  • [T1547.001] Registry Run Keys / Startup Folder (via WMI Persistence) – install.ps1 registers a WMI filter named “Cleanup” to persist and execute the downloader (“…registers a WMI filter named ‘Cleanup’ for persistence. The ‘Cleanup’ filter allows executing the actual downloader script…”).
  • [T1218] Signed Binary Proxy Execution / Valid Accounts (misuse) – Installer is signed with an invalid certificate impersonating NVIDIA to appear legitimate (“…signed with an invalid certificate impersonating NVIDIA.”).
  • [T1059.001] PowerShell – Attackers load and execute Base64-encoded PowerShell commands and use PowerShell-based downloader scripts to deploy payloads (“…loads it into memory, and runs Base64-encoded commands… ‘sql-auto.ps1’ … downloads additional payloads”).
  • [T1573] Encrypted Channel / Alternate Protocols – Use of blockchain-based NKN P2P network provides resilient, non-standard C2 channels (“…use of the blockchain-based P2P networking protocol NKN for C&C communication…”).
  • [T1112] Modify Registry – Scripts attempt to add Defender exclusions and disable protections (AMSI/ETW) and register persistence mechanisms (“…attempts to disable Windows Defender, add exclusion paths, and execute the ‘Null-AMSI’ script… registers a WMI filter named ‘Cleanup’ for persistence.”).
  • [T1496] Resource Hijacking (Data from Local System) – NKNShell collects and transmits detailed system information to attacker-controlled addresses (“…sends collected information to attacker-controlled addresses that are hardcoded into the binary.”).
  • [T1106] Native API – The trojanized installer (written in Go) and Go-based backdoors use native language features for execution and evasion, including disabling AMSI via native methods (“…PowerShell is a PowerShell console developed in C/C++, which disables security features such as AMSI.”).

Indicators of Compromise

  • [File Hash ] Malware samples observed – 0696da5b242023308ad45c50666b2b96, 0dfea610a526b0d458e84c6cd604b2ab (and 3 more MD5 hashes)
  • [URL ] Download and proxy URLs used to host payloads – https://microsoft[.]devq[.]workers[.]dev/newms[.]exe, https://openai-proxy[.]napdev[.]workers[.]dev/?url=https://pub-fd29cd63fb8c4b7fb0c7d3fa893212b9[.]r2[.]dev/Protect[.]exe
  • [FQDN ] C2 and hosting domains – kttelecom[.]duckdns[.]org, spiffy-crepe-c667e8[.]netlify[.]app
  • [MQTT Broker ] MQTT brokers used by NKNShell for C2 – broker.emqx[.]io:1833, broker.hivemq[.]com:1833 (also broker.mqtt[.]cool:1833 and broker.mosquitto[.]org:1833)
  • [File Path ] Persistence and installation paths – %LOCALAPPDATA%svchostservices.exe (MeshAgent), c:windowslinuxcached.exe (gs-netcat)

Read more: https://asec.ahnlab.com/en/91139/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint