Skip to content

Novel NKAbuse malware targets Linux and IoT devices

  • by
  • 3 min read

A novel multiplatform malware dubbed NKAbuse targets Linux and IoT devices in Colombia, Mexico and Vietnam. NKAbuse utilises NKN technology for peer-to-peer data exchange and uses meticulous infiltration strategies to establish persistence.

Cybersecurity researchers from Kaspersky’s Global Emergency Platform (GERT) and the Global Research Analysis Team (GReAT) analysed the malware.

NKAbuse is a new breed of cross-platform flooders and backdoors, signalling potential concerns due to its adaptability, blockchain technology integration, and lack of self-propagation functionality.

NKAbuse uploads an implant to victim hosts and gains persistence through a corn job, Linux’s version of scheduled tasks. It then installs itself in the host’s home folder, with Linux desktops being the primary target.

The malware strategically exploits the NKN (New Kind of Network) decentralised, privacy-focused protocol. NKAbuse uses this blockchain protocol for flooding attacks and as a backdoor. Incorporating blockchain technology enhances reliability and anonymity, suggesting the potential for the botnet to grow steadily without a discernible central controller.

NKN data routing. | Source: Securelist

NKAbuse’s attack vector exploits an older vulnerability linked to Struts2 (CVE-2017-5638 – Apache Struts2). Specifically targeting a financial company, the attackers execute commands on the server by passing instructions through a header ‘shell’, exploiting the vulnerability to download the initial script.

NKAbuse is installed on victim devices by executing a remote shell script. The setup process includes downloading and executing the contents of the remote shell script. The malware exhibits flexibility by generating binaries compatible with various architectures, such as AMD64, ARM, and MIPS, customising the implant to target OS architectures.

The malware then leverages the NKN protocol for communication with the bot master, creating a new account and multiclient for efficient data exchange. The malware features an extensive repertoire of Distributed Denial of Service (DDoS) attacks and backdoor functionalities. These include capturing screenshots, executing system commands, and gathering detailed information about the infected host.

“Although relatively rare, new cross-platform flooders and backdoors like NKAbuse stand out by utilising less common communication protocols. This particular implant appears to have been meticulously crafted for integration into a botnet, yet it can adapt to functioning as a backdoor in a specific host,” said researchers.

In the News: OilRig deploys new lightweight downloaders to target Israel

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: