S1107 NKAbuse
NKAbuse is a Go-based, multi-platform malware abusing NKN (New Kind of Network) technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities.12
| Item | Value |
|---|---|
| ID | S1107 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 08 February 2024 |
| Last Modified | 13 April 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.004 | Unix Shell | NKAbuse is initially installed and executed through an initial shell script.2 |
| enterprise | T1498 | Network Denial of Service | NKAbuse enables multiple types of network denial of service capabilities across several protocols post-installation.2 |
| enterprise | T1057 | Process Discovery | NKAbuse will check victim systems to ensure only one copy of the malware is running.2 |
| enterprise | T1090 | Proxy | - |
| enterprise | T1090.003 | Multi-hop Proxy | NKAbuse has abused the NKN public blockchain protocol for its C2 communications.12 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.003 | Cron | NKAbuse uses a Cron job to establish persistence when infecting Linux hosts.2 |
| enterprise | T1113 | Screen Capture | NKAbuse can take screenshots of the victim machine.2 |
| enterprise | T1082 | System Information Discovery | NKAbuse conducts multiple system checks and includes these in subsequent “heartbeat” messages to the malware’s command and control server.2 |
| enterprise | T1016 | System Network Configuration Discovery | - |
| enterprise | T1016.001 | Internet Connection Discovery | NKAbuse utilizes external services such as ifconfig.me to identify the victim machine’s IP address.2 |