Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Modular Backdoor Can Spread Over Local Network

A recently discovered backdoor can spread itself over a local network, in addition to allowing attackers to install additional malware onto compromised machines. 

A recently discovered backdoor can spread itself over a local network, in addition to allowing attackers to install additional malware onto compromised machines. 

Initially observed in February this year, when still in testing phase, and dubbed Plurox, the backdoor is written in C and compiled with Mingw GCC. It uses the TCP protocol for communication with the command and control (C&C) server and supports a variety of plugins to expand capabilities. 

While analyzing the malware, Kaspersky’s security researchers discovered that it uses two different ports to load plugins. The ports and the C&C addresses are hardcoded into the bot. 

The researchers also discovered two subnets of malicious activity. In one of them the backdoor receives only miners (auto_proc, auto_cuda, auto_gpu_nvidia modules) from the C&C, while in the other it also receives several plugins, in addition to miners (auto_opencl_amd, auto_miner).

The botnet supports a total of seven commands, which allow it to download and execute files using WinAPI CreateProcess, update the bot, delete and stop (delete own service, remove from autoload, delete files, remove artifacts from registry), download and run/stop/stop and delete/update plugin (stop process and delete file of old version, load and start new one). 

The backdoor can install one of several cryptocurrency miners, depending on the system configuration. For that, the bot sends information about the system to the C&C, which then tells it which plugin to download. 

Kaspersky has observed eight mining modules in total, which target different processors: auto_proc, auto_cuda, auto_miner, auto_opencl_amd, auto_gpu_intel, auto_gpu_nvidia, auto_gpu_cuda, and auto_gpu_amd. 

Plurox also supports an UPnP plugin, which was likely designed to attack a local network. 

Advertisement. Scroll to continue reading.

After receiving from the C&C a subnet with mask /24, the module retrieves all IP addresses from it, and attempts to forward ports 135 (MS-RPC) and 445 (SMB) for the current IP address on the router, using the UPnP protocol. If successful, it reports to the C&C, then deletes the forwarded ports after 5 minutes. 

“It would take an attacker just five minutes to sort through all existing exploits for services running on these ports. If the administrators notice the attack on the host, they will see the attack coming directly from the router, not from a local machine. A successful attack will help the cybercriminals gain a foothold in the network,” Kaspersky explains. 

The plugin appears similar to EternalSilence, a campaign detailed in November last year, which aimed to ensnare a quarter million devices in the UPnProxy botnet. The difference is that Plurox forwards TCP port 135 instead of 139. 

Another plugin in the new backdoor is responsible for spreading over the local network using the NSA-linked EternalBlue exploit. The module is identical with the one used in the Trickster Trojan, “but with no debug lines in the code, plus the payload in the exploit is loaded using sockets,” Kaspersky says. 

The analysis revealed not only that the injected code is similar, but also that the code for standard procedures is the same, which led the researchers to the conclusion that the samples were taken from the same source code, suggesting that the creators of Plurox and Trickster may be linked.

Related: Hackers Using NSA Hacking Tools to Build Botnet

Related: New Version of ShellTea Backdoor Used by FIN8 Hacking Group

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Coro, a provider of cybersecurity solutions for SMBs, has appointed Joe Sykora as CEO.

SonicWall has hired Rajnish Mishra as Senior Vice President and Chief Development Officer.

Kenna Security co-founder Ed Bellis has joined Empirical Security as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.