Kaspersky security team has discovered a new strain of malware called Plurox, which packs a cryptominer, backdoor, and worm-like plugins, all into one.
Plurox is a cut above the regular malware. It comes with advanced capabilities that can spread the malware laterally to more systems and mine cryptocurrency using one of its eight different plugins.
This self-spreading virus has a modular structure which facilitates its multi-faceted features such as backdoor trojan and cryptominer.
Modular structure of Plurox
At its core, Plurox contains a primary component that allows Plurox bots (the infected hosts) to communicate with a command and control (C&C) server.
The Kaspersky team says that this component is crucial and the authors of Plurox use it to download and run files on the infected hosts. The downloaded files are called “plugins,” which contain most of the malware’s features.
Motive behind Plurox: Cryptomining
Eight different plugins have been found in Plurox and their sole purpose is cryptocurrency mining. These plugins are based on various hardware configurations for CPU/GPU mining. In addition to this, there’s an UPnP plugin and an SMB plugin.
By monitoring the malware’s activity, the team found two ‘subnets.’ One subnet is dedicated to receiving only mining modules and the other subnet is focused on downloading all modules that are available.
Although the purpose of having two separate communication channels is unclear, it does establish that the primary feature of both subnets is cryptocurrency mining.
Plurox inspired by NSA exploits
The SMB plugin mentioned previously is essentially a repackaged NSA exploit called EternalBlue that was publicly leaked in 2017.
The plugin allows bad actors to scan local networks and spread the malware to vulnerable workstations via the SMB protocol (running the EternalBlue exploit).
But that’s not all. UPnP is actually the sneakiest and most nasty plugin among all. It creates port forwarding rules on the local network of a compromised system and uses it to build backdoors into enterprise networks bypassing firewalls and other security measures in place.
Once again, the inspiration behind the use of the UPNP plugin came from another leaked NSA exploit called EternalSilence. However, instead of using the actual EternalSilence code, they developed their own version.
Security researchers are still trying to figure out how the Plurox crew is spreading the malware to hijack larger networks. For more information on the same, you can refer to Kaspersky’s SecureList blog.