Plurox Modular Malware Spreads Over Local Network and Provide Access to Attackers for Installing Additional Malware

A new malware dubbed Plurox spread itself over the local network using EternalBlue exploit and let attackers gain access to the network to install miners and other malware on the victim’s machine.

The malware is modular, which means; attackers can expand its functionality by adding additional plugins, as required.

Kaspersky researchers discovered the malware in February, it was written in C and compiled with Mingw GCC. Communication with C&C server established through TCP protocol and the plugins are loaded with interfaced via two different ports that are defined with Plurox, and the C&C address is hardcoded.

Plurox Malware Plugins

The C&C server instructs the malware to extract the information from the infected machine, and the commands are encrypted using XOR. Plurox supports for the following seven commands.

• Download and run files using WinAPI CreateProcess
• Update bot
• Delete and stop (delete own service, remove from autoload, delete files, remove artifacts from registry)
• Download and run plugin
• Stop plugin
• Update plugin (stop the process and delete the file of the old version, load and start a new one)
• Stop and delete the plugin

The malware install’s crypto mine’s based on the system configuration, it sends the system configuration details to the C&C server, and it gets information on which plugin needs to be installed.

“The UPnP plugin modules receives from the C&C a subnet with mask /24, retrieves all IP addresses from it, and attempts to forward ports 135 (MS-RPC) and 445 (SMB) for the currently selected IP address on the router using the UPnP protocol. If successful, it reports the result to the C&C center, waits for 300 seconds (5 minutes), and then deletes the forwarded ports. Researchers believe that this plugin can be used to attack a local network.”

Next one is the SMB plugin responsible for spreading malware over the network using the EternalBlue exploit. Based on the analysis, researchers believe the creators of Plurox and Trickster may be linked.

IoC

C&C servers

178.21[.]11.90
 185.146[.]157.143
 37.140[.]199.65
 194.58[.]92.63
 obuhov2k[.]beget[.]tech
 webdynamicname[.]com
 37.46[.]131.250
 188.93[.]210.42

MD5

 Main body
 59523DD8F5CE128B68EA44ED2EDD5FCA
 C4A74D79030336A0C3CF60DE2CFAE9E9
 CECFD6BCFDD56B5CC1C129740EA2C524
 BE591AA0E48E496B781004D0E833E261
 Trickster Worm module
 f233dd609821c896a4cb342cf0afe7b2
 auto_proc32
 2e55ae88c67b1d871049af022cc22aac
 auto_proc64
 b2d76d715a81862db84f216112fb6930
 auto_opencl_amd32
 a24fd434ffc7d3157272189753118fbf
 auto_opencl_amd64
 117f978f07a658bce0b5751617e9d465
 auto_miner32
 768857d6792ee7be1e1c5b60636501e5
 auto_miner64
 e8aed94c43c8c6f8218e0f2e9b57f083
 upnp32
 8cf5c72217c1bb48902da2c83c9ccd4e
 upnp64
 b2824d2007c5a1077856ae6d8192f523
 smb32
 6915dd5186c65891503f90e91d8716c6
 smb64
 cd68adc0fbd78117521b7995570333b2

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Related Read

Malicious Apps from Google PlayStore Bypassing SMS-Based Two-Factor Authentication and Steal OTPs in SMS

New Android Malware that Uses Chrome to Load Malicious websites through Notifications

FIN8 Hacker Group using Highly Sophisticated ShellTea Malware to Attack Hospitality Sector