A few months ago, specialists in digital forensics analysis of security firm Kaspersky analyzed Plurox, a backdoor detected in some attacks that occurred in early 2019, discovering that this malware has some features with high harmful potential.
In their research, experts discovered that
malware can spread across a local network via an exploit, access the targeted
network and install cryptocurrency
mining software, among other malicious activities. Plurox is written in C and
compiled with Mingw GCC; experts believe that the malware was still in
development when it was first detected.
This backdoor uses the TCP protocol to
communicate with the command and control server, and its plugins are loaded and
interconnected using two different ports. According to digital forensics
analysis experts, two sub networks were detected when monitoring malware
activity. In one, Plurox receives some variants of mining software, while in
the other sub network, in addition to some mining programs, downloads several
plugins.
This malware variant has virtually no
encryption, as only a few 4-byte keys are applied for normal XOR encryption.
The package for calling the C&C server looks as follows:
The buffer contains a XORed string with the key
at the beginning of the packet. The C&C response contains the command to be
executed, as well as the data for its execution encrypted with XOR. When the
plugin loads, the bot selects the required bitness and requests both auto_proc
and auto_proc64. In response, the C&C sends the MZ-PE encrypted plugin.
In total, digital forensics analysis experts
found seven different commands in Plurox to perform various tasks such as:
- Download
and run files using WinAPI CreateProcess - Bot
update - Eliminate
and disrupt service - Download
and run the plugins - Connection
interruption - Plugin
update - Removing
the plugins
According to the experts from the International
Cyber Security Institute (IICS) Plurox can install one of several cryptocurrency
mining programs, the choice is made depending on the configurations of the
targeted system. This information is sent to the C&C server and, in
response, information is received about the ideal plugin to install on that specific
system.
Another intriguing module on Plurox is the SMB
plugin, capable of spreading malware across the compromised network using the
EternalBlue flaw exploit.
