Modular Backdoor Can Spread Over Local Network

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,056
A recently discovered backdoor can spread itself over a local network, in addition to allowing attackers to install additional malware onto compromised machines.

Initially observed in February this year, when still in testing phase, and dubbed Plurox, the backdoor is written in C and compiled with Mingw GCC. It uses the TCP protocol for communication with the command and control (C&C) server and supports a variety of plugins to expand capabilities.

While analyzing the malware, Kaspersky’s security researchers discovered that it uses two different ports to load plugins. The ports and the C&C addresses are hardcoded into the bot.

The researchers also discovered two subnets of malicious activity. In one of them the backdoor receives only miners (auto_proc, auto_cuda, auto_gpu_nvidia modules) from the C&C, while in the other it also receives several plugins, in addition to miners (auto_opencl_amd, auto_miner).

The botnet supports a total of seven commands, which allow it to download and execute files using WinAPI CreateProcess, update the bot, delete and stop (delete own service, remove from autoload, delete files, remove artifacts from registry), download and run/stop/stop and delete/update plugin (stop process and delete file of old version, load and start new one).

The backdoor can install one of several cryptocurrency miners, depending on the system configuration. For that, the bot sends information about the system to the C&C, which then tells it which plugin to download.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top