The malware is modular, which means; attackers can expand its functionality by adding additional plugins, as required.
Kaspersky researchers discovered the malware in February, it was written in C and compiled with Mingw GCC. Communication with C&C server established through TCP protocol and the plugins are loaded with interfaced via two different ports that are defined with Plurox, and the C&C address is hardcoded.
Plurox Malware Plugins
The C&C server instructs the malware to extract the information from the infected machine, and the commands are encrypted using XOR. Plurox supports for the following seven commands.
- Download and run files using WinAPI CreateProcess
- Update bot
- Delete and stop (delete own service, remove from autoload, delete files, remove artifacts from registry)
- Download and run plugin
- Stop plugin
- Update plugin (stop the process and delete the file of the old version, load and start a new one)
- Stop and delete the plugin
The malware install’s crypto mine’s based on the system configuration, it sends the system configuration details to the C&C server, and it gets information on which plugin needs to be installed.
“The UPnP plugin modules receives from the C&C a subnet with mask /24, retrieves all IP addresses from it, and attempts to forward ports 135 (MS-RPC) and 445 (SMB) for the currently selected IP address on the router using the UPnP protocol. If successful, it reports the result to the C&C center, waits for 300 seconds (5 minutes), and then deletes the forwarded ports. Researchers believe that this plugin can be used to attack a local network.”
Next one is the SMB plugin responsible for spreading malware over the network using the EternalBlue exploit. Based on the analysis, researchers believe the creators of Plurox and Trickster may be linked.
Trickster Worm module