In February this year, a curious backdoor passed across our virtual desk. The analysis showed the malware to have a few quite unpleasant features. It can spread itself over a local network via an exploit, provide access to the attacked network, and install miners and other malicious software on victim computers. What’s more, the backdoor is modular, which means that its functionality can be expanded with the aid of plugins, as required. Post-analysis, the malware was named Backdoor.Win32.Plurox.
Plurox is written in C and complied with Mingw GCC, and judging by the presence of debug lines, the malware was at the testing stage when detected.
The backdoor uses the TCP protocol to communicate with the C&C server; plugins are loaded and directly interfaced via two different ports, which are stitched into the body of Plurox; the C&C addresses are also hardcoded into the bot. When monitoring the malware’s activity, we detected two “subnets.” In one, Plurox receives only miners (auto_proc, auto_cuda, auto_gpu_nvidia modules) from the C&C center, while in the other, besides miners (auto_opencl_amd, auto_miner), it is passed several plugins, which will be discussed later.
Source: Kaspersky Lab