The Kaspersky security team discovered a new type of malware in the wild in February. The new malware, called Plurox, is much more dangerous than the common malware that security researchers encounter in their daily lives. According to Kaspersky, although Plurox is in the early testing stage, it has some advanced features that can serve as a back door for infected enterprise networks, can spread horizontally, endanger more systems, and can be mined using eight mining plugins from the C&C server. Kaspersky wrote:
“We counted eight mining modules in total, whose features can be guessed from their names: auto_proc, auto_cuda, auto_miner, auto_opencl_amd, auto_gpu_intel, auto_gpu_nvidia, auto_gpu_cuda, auto_gpu_amd.”
The core of malware consists of a major component that allows Plurox bots (infected hosts) to communicate with C&C (command and control) servers. This communication component is at the heart of the Plurox malware.
According to Kaspersky, hackers use Plurox to download and run files on infected hosts. Kaspersky found eight plug-ins for cryptocurrency mining (each plug-in for CPU/GPU mining of various hardware configurations), a universal plug-and-play plugin and an SMB plugin. After analyzing how malware communicates with the C&C server, the researchers found that the main purpose of the malware was cryptocurrency mining.
Kaspersky researcher Anton Kuzmenko said that Plurox uses two subnets during its attacks while monitoring malware activity. In a subnet, the Plugoxbots only receive the mining module, and in the second subnet, all modules can be downloaded.
The SMB plugin is a repackaged NSA-leaked EternalBlue exploit. The SMB plugin allows an attacker to scan a local network and then propagate it to the workstation via the SMB protocol. But the most harm plugin is the UPnP plugin. The module creates ports on the infected host’s local network, effectively creating a backdoor into the corporate network and bypassing firewalls and other security solutions. At the moment, it is unclear how the Plurox gang will spread this malware to gain a foothold in a larger network.