Modular Backdoor Can Spread Over Local Network

A recently discovered backdoor can spread itself over a local network, in addition to allowing attackers to install additional malware onto compromised machines. 

Initially observed in February this year, when still in testing phase, and dubbed Plurox, the backdoor is written in C and compiled with Mingw GCC. It uses the TCP protocol for communication with the command and control (C&C) server and supports a variety of plugins to expand capabilities. 

While analyzing the malware, Kaspersky’s security researchers discovered that it uses two different ports to load plugins. The ports and the C&C addresses are hardcoded into the bot. 

The researchers also discovered two subnets of malicious activity. In one of them the backdoor receives only miners (auto_proc, auto_cuda, auto_gpu_nvidia modules) from the C&C, while in the other it also receives several plugins, in addition to miners (auto_opencl_amd, auto_miner).

The botnet supports a total of seven commands, which allow it to download and execute files using WinAPI CreateProcess, update the bot, delete and stop (delete own service, remove from autoload, delete files, remove artifacts from registry), download and run/stop/stop and delete/update plugin (stop process and delete file of old version, load and start new one). 

The backdoor can install one of several cryptocurrency miners, depending on the system configuration. For that, the bot sends information about the system to the C&C, which then tells it which plugin to download. 

Kaspersky has observed eight mining modules in total, which target different processors: auto_proc, auto_cuda, auto_miner, auto_opencl_amd, auto_gpu_intel, auto_gpu_nvidia, auto_gpu_cuda, and auto_gpu_amd. 

Plurox also supports an UPnP plugin, which was likely designed to attack a local network. 

After receiving from the C&C a subnet with mask /24, the module retrieves all IP addresses from it, and attempts to forward ports 135 (MS-RPC) and 445 (SMB) for the current IP address on the router, using the UPnP protocol. If successful, it reports to the C&C, then deletes the forwarded ports after 5 minutes. 

“It would take an attacker just five minutes to sort through all existing exploits for services running on these ports. If the administrators notice the attack on the host, they will see the attack coming directly from the router, not from a local machine. A successful attack will help the cybercriminals gain a foothold in the network,” Kaspersky explains. 

The plugin appears similar to EternalSilence, a campaign detailed in November last year, which aimed to ensnare a quarter million devices in the UPnProxy botnet. The difference is that Plurox forwards TCP port 135 instead of 139. 

Another plugin in the new backdoor is responsible for spreading over the local network using the NSA-linked EternalBlue exploit. The module is identical with the one used in the Trickster Trojan, “but with no debug lines in the code, plus the payload in the exploit is loaded using sockets,” Kaspersky says. 

The analysis revealed not only that the injected code is similar, but also that the code for standard procedures is the same, which led the researchers to the conclusion that the samples were taken from the same source code, suggesting that the creators of Plurox and Trickster may be linked.

Related: Hackers Using NSA Hacking Tools to Build Botnet

Related: New Version of ShellTea Backdoor Used by FIN8 Hacking Group