A new strain of malware called as Plurox was discovered by the security team at Kaspersky which is a cryptominer, backdoor, and worm-like plugins, all into one.
Plurox is more than just a regular malware as it has advanced capabilities to spread the malware laterally to more systems and mine cryptocurrency using one of its eight different plugins.
The virus which is self-spreading has a modular structure that facilitates its compound features such as backdoor trojan and cryptominer.
The structure of Plurox comprises of a primary component at its core, that allows Plurox bots (the infected hosts) to communicate with a command and control (C&C) server.
According to the Kaspersky team, this component is crucial and the authors of Plurox use it to download and run files on the infected hosts. The downloaded files are called “plugins,” and it has most of the malware’s features.
The main aim of the Plurox is to perform cryptocurrency mining. There are eight different plugins found in Plurox that are based on different hardware configurations for CPU/GPU mining. Besides there is an UPnP plugin and an SMB plugin.
While observing the activity of the malware, the researchers found two ‘subnets.’ One subnet is dedicated to receiving only mining modules while the other subnet is focused on downloading all modules that are available.
Even though the need to have two separate communication channels is not clear, it is certain that the primary feature of both subnets is cryptocurrency mining.
The SMB plugin is essentially a repackaged NSA exploit called EternalBlue that was publicly leaked in 2017. This plugin permits attackers to scan local networks and spread the malware to vulnerable workstations via the SMB protocol (running the EternalBlue exploit).
UPnP Plugin creates port forwarding rules on the local network of a compromised system and uses it to build backdoors into enterprise networks bypassing firewalls and other security measures.
The idea to use the UPNP plugin also came from another leaked NSA exploit called EternalSilence. But the developers developed their own code rather than using the actual EternalSilence code.
It is still not sure how the Plurox gang is spreading the malware to hijack larger networks and the researchers are trying to figure it out.