A few months ago, specialists in digital forensics analysis of security firm Kaspersky analyzed Plurox, a backdoor detected in some attacks that occurred in early 2019, discovering that this malware has some features with high harmful potential.
In their research, experts discovered that malware can spread across a local network via an exploit, access the targeted network and install cryptocurrency mining software, among other malicious activities. Plurox is written in C and compiled with Mingw GCC; experts believe that the malware was still in development when it was first detected.
This backdoor uses the TCP protocol to communicate with the command and control server, and its plugins are loaded and interconnected using two different ports. According to digital forensics analysis experts, two sub networks were detected when monitoring malware activity. In one, Plurox receives some variants of mining software, while in the other sub network, in addition to some mining programs, downloads several plugins.
This malware variant has virtually no encryption, as only a few 4-byte keys are applied for normal XOR encryption. The package for calling the C&C server looks as follows:
The buffer contains a XORed string with the key at the beginning of the packet. The C&C response contains the command to be executed, as well as the data for its execution encrypted with XOR. When the plugin loads, the bot selects the required bitness and requests both auto_proc and auto_proc64. In response, the C&C sends the MZ-PE encrypted plugin.
In total, digital forensics analysis experts found seven different commands in Plurox to perform various tasks such as:
- Download and run files using WinAPI CreateProcess
- Bot update
- Eliminate and disrupt service
- Download and run the plugins
- Connection interruption
- Plugin update
- Removing the plugins
According to the experts from the International Cyber Security Institute (IICS) Plurox can install one of several cryptocurrency mining programs, the choice is made depending on the configurations of the targeted system. This information is sent to the C&C server and, in response, information is received about the ideal plugin to install on that specific system.
Another intriguing module on Plurox is the SMB plugin, capable of spreading malware across the compromised network using the EternalBlue flaw exploit.