Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Modular Backdoor Can Spread Over Local Network

A recently discovered backdoor can spread itself over a local network, in addition to allowing attackers to install additional malware onto compromised machines. 

A recently discovered backdoor can spread itself over a local network, in addition to allowing attackers to install additional malware onto compromised machines. 

Initially observed in February this year, when still in testing phase, and dubbed Plurox, the backdoor is written in C and compiled with Mingw GCC. It uses the TCP protocol for communication with the command and control (C&C) server and supports a variety of plugins to expand capabilities. 

While analyzing the malware, Kaspersky’s security researchers discovered that it uses two different ports to load plugins. The ports and the C&C addresses are hardcoded into the bot. 

The researchers also discovered two subnets of malicious activity. In one of them the backdoor receives only miners (auto_proc, auto_cuda, auto_gpu_nvidia modules) from the C&C, while in the other it also receives several plugins, in addition to miners (auto_opencl_amd, auto_miner).

The botnet supports a total of seven commands, which allow it to download and execute files using WinAPI CreateProcess, update the bot, delete and stop (delete own service, remove from autoload, delete files, remove artifacts from registry), download and run/stop/stop and delete/update plugin (stop process and delete file of old version, load and start new one). 

The backdoor can install one of several cryptocurrency miners, depending on the system configuration. For that, the bot sends information about the system to the C&C, which then tells it which plugin to download. 

Kaspersky has observed eight mining modules in total, which target different processors: auto_proc, auto_cuda, auto_miner, auto_opencl_amd, auto_gpu_intel, auto_gpu_nvidia, auto_gpu_cuda, and auto_gpu_amd. 

Advertisement. Scroll to continue reading.

Plurox also supports an UPnP plugin, which was likely designed to attack a local network. 

After receiving from the C&C a subnet with mask /24, the module retrieves all IP addresses from it, and attempts to forward ports 135 (MS-RPC) and 445 (SMB) for the current IP address on the router, using the UPnP protocol. If successful, it reports to the C&C, then deletes the forwarded ports after 5 minutes. 

“It would take an attacker just five minutes to sort through all existing exploits for services running on these ports. If the administrators notice the attack on the host, they will see the attack coming directly from the router, not from a local machine. A successful attack will help the cybercriminals gain a foothold in the network,” Kaspersky explains. 

The plugin appears similar to EternalSilence, a campaign detailed in November last year, which aimed to ensnare a quarter million devices in the UPnProxy botnet. The difference is that Plurox forwards TCP port 135 instead of 139. 

Another plugin in the new backdoor is responsible for spreading over the local network using the NSA-linked EternalBlue exploit. The module is identical with the one used in the Trickster Trojan, “but with no debug lines in the code, plus the payload in the exploit is loaded using sockets,” Kaspersky says. 

The analysis revealed not only that the injected code is similar, but also that the code for standard procedures is the same, which led the researchers to the conclusion that the samples were taken from the same source code, suggesting that the creators of Plurox and Trickster may be linked.

Related: Hackers Using NSA Hacking Tools to Build Botnet

Related: New Version of ShellTea Backdoor Used by FIN8 Hacking Group

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...