Kaspersky security team has discovered a new strain of malware called Plurox, which packs acryptominer,backdoor, andworm-like plugins, all into one.
Plurox is a cut above the regular malware. It comes with advanced capabilities that can spread the malware laterally to more systems and mine cryptocurrency using one of itseight different plugins.
Thisself-spreading virushas a modular structure which facilitates its multi-faceted features such as backdoor trojan and cryptominer.
Modular structure of Plurox
At its core, Plurox contains a primary component that allows Plurox bots (the infected hosts) tocommunicatewith a command and control(C&C) server.
The Kaspersky team says that this component is crucial and the authors of Plurox use it todownload and run fileson the infected hosts. The downloaded files are called “plugins,” which contain most of the malware’s features.
Motive behind Plurox: Cryptomining
Eight different plugins have been found in Plurox and their sole purpose is cryptocurrency mining. These plugins are based on various hardware configurations for CPU/GPU mining. In addition to this, there’s anUPnP pluginand anSMB plugin.
By monitoring the malware’s activity, the team foundtwo ‘subnets.’One subnet is dedicated to receiving only mining modules and the other subnet is focused on downloading all modules that are available.
Although the purpose of having two separate communication channels is unclear, it does establish that the primary feature of both subnets is cryptocurrency mining.
Plurox inspired by NSA exploits
The SMB plugin mentioned previously is essentially a repackaged NSA exploit calledEternalBluethat was publicly leaked in 2017.
The plugin allows bad actors to scan local networks and spread the malware to vulnerable workstations via the SMB protocol (running the EternalBlue exploit).
But that’s not all. UPnP is actually the sneakiest and most nasty plugin among all. It creates port forwarding rules on the local network of a compromised system and uses it to build backdoors into enterprise networks bypassing firewalls and other security measures in place.
Once again, the inspiration behind the use of the UPNP plugin came from another leaked NSA exploit calledEternalSilence. However, instead of using the actual EternalSilence code, they developed their own version.
Security researchers are still trying to figure out how the Plurox crew is spreading the malware to hijack larger networks. For more information on the same, you can refer toKaspersky’s SecureList blog.
