Threat Research

Unveiling NKAbuse: a new multiplatform threat abusing the NKN protocol

SecureList

Kaspersky researchers uncovered NKAbuse, a Go-written multiplatform implant that uses the NKN peer-to-peer protocol for command-and-control and supports both DDoS flooding and backdoor/RAT functions. The implant is deployed via a Struts2 (CVE-2017-5638) web exploit, installs under /root/.config/StoreService, establishes cron persistence, and communicates with a botmaster through an NKN multiclient. #NKAbuse #NKN

Keypoints

  • Initial access observed via exploitation of Apache Struts2 (CVE-2017-5638) to run commands and download a remote setup script.
  • Installer (setup.sh) downloads a second-stage Go implant named app_linux_{ARCH} tailored for eight architectures, then executes it from /tmp.
  • The implant relocates to /root/.config/StoreService, creates files and .cache directories, saves configuration and a generated private key, and retrieves the host IP from ifconfig.me.
  • Persistence relies on cron jobs added when running as root to ensure execution on reboot.
  • Communication with the botmaster uses the decentralized NKN protocol: the implant creates an NKN account and a multiclient (hardcoded public key) and registers a message handler with ~42 command cases.
  • NKAbuse includes extensive DDoS payloads (HTTP GET/POST, TCP/UDP, SYN, SSL, ICMP, DNS NXDOMAIN flooding, slowloris variants) and a DNS AAAA junk-subdomain flood.
  • Backdoor/RAT capabilities include heartbeat/beaconing, remote command execution, file creation/deletion/listing, process and network interface enumeration, and screenshot capture sent to the attacker.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Used to gain initial access by exploiting Apache Struts2 CVE-2017-5638 to execute commands. [‘the attack exploited an old vulnerability related to Struts2 (CVE-2017-5638 – Apache Struts2)’]
  • [T1053.005] Scheduled Task/Job: Cron – Achieves persistence by adding itself to crontab for execution on reboot when running as root. [‘NKAbuse makes use of cron jobs to survive reboots.’]
  • [T1059.004] Command and Scripting Interpreter: Unix Shell – Executes system commands via Bash after exploitation and supports remote command execution from the botmaster. [‘The vulnerability allows the attackers to execute commands on the server by passing the command in a header identified as “shell”’]
  • [T1071] Application Layer Protocol – Uses the NKN peer-to-peer protocol and an NKN multiclient for command-and-control communication with the botmaster. [‘NKAbuse utilizes the NKN protocol to communicate with the bot master and receive/send information.’]
  • [T1498] Network Denial of Service – Implements a wide range of flooding attacks (HTTP, TCP, UDP, SYN, ICMP, SSL, slowloris, DNS NXDOMAIN) to perform DDoS operations. [‘NKAbuse contains a large arsenal of Distributed Denial of Service (DDoS) attacks.’]
  • [T1113] Screen Capture – Captures screenshots of the infected host, converts them to PNG, and sends them to the botmaster. [‘determine the display bounds and then capture an image of the current screen, in order to convert it to PNG and send to the bot master.’]
  • [T1083] File and Directory Discovery – Can fetch a file list from specified paths on the infected system. [‘fetch a file list from a specific path.’]
  • [T1057] Process Discovery – Can retrieve a list of running processes on the compromised host. [‘It can get a list of processes running in the system’]
  • [T1105] Ingress Tool Transfer – Downloads the initial setup script and the architecture-specific implant (app_linux_{ARCH}) from an attacker-controlled server and executes it. [‘The implant is downloaded from the same server; it is named “app_linux_{ARCH}” … The downloaded implant is placed into the temporary /tmp directory and then executed.’]

Indicators of Compromise

  • [File paths] Installation and persistence artifacts on host – /root/.config/StoreService, /root/.config/StoreService/app_linux_amd64
  • [File names] Downloaded installer and payloads – setup.sh, app_linux_{ARCH} (e.g., app_linux_amd64)
  • [Domain/HTTP endpoint] External IP discovery and network checks – ifconfig.me
  • [Vulnerability] Exploited component – CVE-2017-5638 (Apache Struts2) used as the initial access vector

NKAbuse is deployed by exploiting a vulnerable public-facing web application (Apache Struts2 CVE-2017-5638) to run a remote shell command that downloads and executes an attacker-hosted setup.sh. The setup script detects the operating system and retrieves the appropriate Go-built implant named app_linux_{ARCH} (eight architectures supported), which is initially placed in /tmp and executed.

On execution the implant ensures it is the sole running instance, moves itself to /root/.config/StoreService (creating files and .cache directories), generates and caches configuration including a private key, and queries ifconfig.me to obtain the host IP. If running as root it modifies the crontab to add a reboot-entry for persistence. The implant also creates an NKN account and initializes a multiclient with a hardcoded public key/identifier to send and receive messages using the NKN P2P protocol.

The NKN message handler implements roughly 42 command codes covering DDoS/flooding payloads (HTTP GET/POST, TCP/UDP, SYN, SSL, ICMP, slowloris variants, DNS AAAA junk-subdomain flood causing NXDOMAIN responses) and backdoor/RAT operations. RAT functions include periodic heartbeat/beaconing, remote command execution with output returned over NKN, file creation/deletion/listing, process and network interface enumeration, and screenshot capture converted to PNG for exfiltration to the botmaster.

Read more: https://securelist.com/unveiling-nkabuse/111512/