Plurox: Modular backdoor

[harlan4096]

In February this year, a curious backdoor passed across our virtual desk. The analysis showed the malware to have a few quite unpleasant features. It can spread itself over a local network via an exploit, provide access to the attacked network, and install miners and other malicious software on victim computers. What’s more, the backdoor is modular, which means that its functionality can be expanded with the aid of plugins, as required. Post-analysis, the malware was named Backdoor.Win32.Plurox.

Key features

Plurox is written in C and complied with Mingw GCC, and judging by the presence of debug lines, the malware was at the testing stage when detected.

The backdoor uses the TCP protocol to communicate with the C&C server; plugins are loaded and directly interfaced via two different ports, which are stitched into the body of Plurox; the C&C addresses are also hardcoded into the bot. When monitoring the malware’s activity, we detected two “subnets.” In one, Plurox receives only miners (auto_proc, auto_cuda, auto_gpu_nvidia modules) from the C&C center, while in the other, besides miners (auto_opencl_amd, auto_miner), it is passed several plugins, which will be discussed later.

The Plurox family has virtually no encryption, only a few 4-byte keys are applied for the regular XOR cipher. The packet for calling the C&C server looks as follows:
 

The buffer contains an XORed string with the key at the start of the packet. The response from the C&C center contains the command to be executed, plus data for its execution, which is encrypted using XOR. When the plugin is loaded, the bot itself selects the required bitness and requests both auto_proc and auto_proc64. In response there arrives a packet with an encrypted plugin, the usual MZ-PE.

Supported commands

The Plurox version we found supports a total of seven commands:

* Download and run files using WinAPI CreateProcess
* Update bot
* Delete and stop (delete own service, remove from autoload, delete files, remove artifacts from registry)
* Download and run plugin
* Stop plugin
* Update plugin (stop process and delete file of old version, load and start new one)
* Stop and delete plugin

Plugins

During the monitoring, we managed to detect several Plurox plugins and study them all.

Plugin miners

The malware can install on the victim computer one of several cryptocurrency miners, depending on the particular system configuration. The bot sends the package with the system configuration to the C&C server, and in response it receives information about which plugin to download. We counted eight mining modules in total, whose features can be guessed from their names:

* auto_proc
* auto_cuda
* auto_miner
* auto_opencl_amd
* auto_gpu_intel
* auto_gpu_nvidia
* auto_gpu_cuda
* auto_gpu_amd
* UPnP plugin

The module receives from the C&C a subnet with mask /24, retrieves all IP addresses from it, and attempts to forward ports 135 (MS-RPC) and 445 (SMB) for the currently selected IP address on the router using the UPnP protocol. If successful, it reports the result to the C&C center, waits for 300 seconds (5 minutes), and then deletes the forwarded ports. We assume that this plugin can be used to attack a local network. It would take an attacker just five minutes to sort through all existing exploits for services running on these ports. If the administrators notice the attack on the host, they will see the attack coming directly from the router, not from a local machine. A successful attack will help the cybercriminals gain a foothold in the network.

Continue Reading