Modular Plurox backdoor can spread over local network

Kaspersky experts recently discovered a backdoor dubbed Plurox that can spread itself over a local network and can allow installing additional malware. 

Kaspersky experts discovered the Plurox backdoor in February, it can spread itself over a local network and could be used by attackers to install additional malware. 

The Plurox backdoor is written in C and compiled with Mingw GCC, it communicates with the command and control (C&C) server using the TCP protocol. The malware has a modular structure, it uses a variety of plugins to implements its functionalities. 

“The analysis showed the malware to have a few quite unpleasant features. It can spread itself over a local network via an exploit, provide access to the attacked network, and install miners and other malicious software on victim computers.” reads the analysis published by Kaspersky. “What’s more, the backdoor is modular, which means that its functionality can be expanded with the aid of plugins, as required. Post-analysis, the malware was named Backdoor.Win32.Plurox.”

The analysis of the code revealed the presence of debug lines, a circumstance that suggests the malware was at the testing stage when it was first spotted.

The Plurox backdoor uses two different ports to load plugins, the ports along with the C&C addresses are hardcoded into the source code of the malware. 

Monitoring the backdoor’s activity, experts discovered two “subnets.” One subnet is used to provide only miners (auto_proc, auto_cuda, auto_gpu_nvidia modules) to the Plurox backdoor. The other one, besides miners (auto_opencl_amd, auto_miner), is used to pass several plugins to the malware.

The Plurox backdoor supports the following commands:

  • Download and run files using WinAPI CreateProcess
  • Update bot
  • Delete and stop (delete own service, remove from autoload, delete files, remove artifacts from registry)
  • Download and run plugin
  • Stop plugin
  • Update plugin (stop process and delete file of old version, load and start new one)
  • Stop and delete plugin

The backdoor allows delivering the proper cryptocurrency miners depending on the system configuration.  

The researchers observed eight mining modules that were used to infect systems running on different processors: auto_proc, auto_cuda, auto_miner, auto_opencl_amd, auto_gpu_intel, auto_gpu_nvidia, auto_gpu_cuda, and auto_gpu_amd. 

Experts also discovered that the Plurox backdoor also supports a UPnP plugin designed to target a local network. 

“The module receives from the C&C a subnet with mask /24, retrieves all IP addresses from it, and attempts to forward ports 135 (MS-RPC) and 445 (SMB) for the currently selected IP address on the router using the UPnP protocol. If successful, it reports the result to the C&C center, waits for 300 seconds (5 minutes), and then deletes the forwarded ports. We assume that this plugin can be used to attack a local network. ” states the report.

In case the administrators will detect the attack on the host, they will see the attack coming directly from the router, not from a local machine.

The UPnP plugin is similar to the EternalSilence exploit, with the difference that Plurox forwards TCP port 135 instead of 139. 

The backdoor uses the SMB plugin for spreading over the network using the EternalBlue exploit.

The module borrows the code from the Trickster Trojan, the researchers believe that the authors of Plurox and Trickster may be linked.

Plurox

Further technical details, including IoCs are reported in the analysis published by Kaspersky.

Pierluigi Paganini

(SecurityAffairs – XSS, hacking)

The post Modular Plurox backdoor can spread over local network appeared first on Security Affairs.

Security Affairs


Are you looking for products for hacking, cybersecurity, and penetration testing? Do you need to cleanse your smartphone, PC, or website from viruses and malware? Do you need to track down a person or recover urgent information? Do you need to regain control of an account, email, or password that has been stolen from you? Interested in purchasing pre-configured devices to easily and quickly experiment with hacking techniques? Do you have specific requirements in software or hardware? We can assist you!

Contact us immediately for immediate assistance: provide us with details via email or WhatsApp about the type of support you need, and we will respond you promptly!

Fill out and submit the form below to send us an immediate support request

Write your email address here

Write here how we can help you - we provide immediate support for all your needs!

chevron_left
chevron_right