Tech

New Plurox malware is a backdoor, cryptominer, and worm, all packed into one

New Plurox malware spotted in the wild in February; uses leaked NSA exploits; focuses on cryptocurrency mining.

Written by Catalin Cimpanu, Contributor June 18, 2019 at 9:55 p.m. PT

See als

10 dangerous app vulnerabilities to watch out for (free PDF)

A new strain of malware has been spotted in the wild by the Kaspersky security team. Named Plurox, this new malware is a cut above the usual malware strains security researchers encounter on a daily basis.

According to Kaspersky, Plurox, despite being in early testing, has some pretty advanced features and can act as a backdoor into infected enterprise networks, can spread laterally to compromise even more systems, and can mine cryptocurrencies using one of eight different plugins.

In other words, the malware can work as a backdoor trojan, a self-spreading virus, and a crypto-miner, all at the same time.

Plurox designed around a modular structure

Spotted for the first time in February this year, the malware's multi-faceted feature-set can be attributed to its modular build.

The malware's core consists of a primary component that allows Plurox bots (infected hosts) to talk to a command and control (C&C) server.

This communications component is at the center of the Plurox malware. According to Kaspersky, the Plurox crew uses it to download and run files on already infected hosts. These additional files are named "plugins" and is where most of the malware's features are present.

Kaspersky said it found eight plugins dedicated for cryptocurrency mining (each plugin focused on CPU/GPU mining on various hardware configurations), one UPnP plugin, and an SMB plugin.

Plurox's main purpose: cryptomining

After analyzing how the malware talked to its C&C server, researchers said they quickly realized that the malware's main purpose was cryptocurrency mining.

"When monitoring the malware's activity, we detected two 'subnets'," said Anton Kuzmenko, Kaspersky researcher.

In one subnet, Plurox bots received only mining modules, and in the second subnet, all modules were available for download.

The purpose of these two separate communication channels is unknown; however, it shows that the primary feature active in both subnets was cryptocurrency mining, and most likely the main reason the Plurox malware was created in the first place.

SMB plugin is a repackaged NSA exploit

As for the other plugins, Kasperksy said the SMB plugin was a repackaged EternalBlue, an exploit developed by the NSA and which was publicly leaked by a mysterious hacker group in 2017.

EternalBlue is currently widely employed by multiple malware gangs, so it's no surprise that Plurox is using it as well.

The purpose of the SMB plugin is to allow attackers to scan local networks and then spread to vulnerable workstations via the SMB protocol (by running the EternalBlue exploit).

Per researchers, parts of Plurox's SMB plugin appear to have been copied from a similar SMB plugin employed by the Trickster malware.

"Based on this, we can assume that the analyzed samples were taken from the same source code (commented lines in the Trickster plugin are missing in the Plurox plugin), which means the respective creators of Plurox and Trickster may be linked," Kuzmenko said.

UPnP plugin inspired by another NSA exploit

But the sneakiest plugin of them all is what Kaspersky calls the UPnP plugin. This module creates port forwarding rules on the local network of an infected host, effectively creating a tunnel (backdoor) into enterprise networks and bypassing firewalls and other security solutions.

Per Kaspersky, the Plurox team appears to have taken inspiration for creating this plugin from another leaked NSA exploit named EternalSilence. However, they didn't use the actual EternalSilence code but developed their own version instead.

Right now, it is unclear how the Plurox gang is spreading this malware to gain an initial foothold on larger networks. Additional technical details and indicators of compromise (IOCs) are available on Kaspersky's SecureList blog.