Plurox – Modular backdoor

Plurox is a newly observed modular backdoor. It is written in C and complied with Mingw GCC. It appears to still be in active testing, with multiple variants seen in the wild.

It is unclear how Plurox is initially delivered to a target system, although there are unconfirmed reports indicating it may be delivered as a secondary payload by another piece of malware.

By default, Plurox can alter registry entries and edit, transfer or delete files, with plugins used to extend its functionality. These are either included with Plurox upon delivery or downloaded afterwards, with each individual plugin containing a command script as well as a configuration file. At the time of publication, only cryptocurrency mining plugins have been discovered, although it is likely that other plugins exist.

Plurox can also propagate laterally using the EternalBlue SMB and EternalSilence UPnP exploits. Using a separate plugin, it will enumerate the local network, scan for exposed ports 135 and 445, and send back any found ports to the C2 server. The attacker will then send a command back to Plurox to deploy the relevant exploit.

IoC

C&C servers

• 178.21[.]11.90
• 185.146[.]157.143
• 37.140[.]199.65
• 194.58[.]92.63
• obuhov2k[.]beget[.]tech
• webdynamicname[.]com
• 37.46[.]131.250
• 188.93[.]210.42

MD5

• Main body
• 59523DD8F5CE128B68EA44ED2EDD5FCA
• C4A74D79030336A0C3CF60DE2CFAE9E9
• CECFD6BCFDD56B5CC1C129740EA2C524
• BE591AA0E48E496B781004D0E833E261
• Trickster Worm module
• f233dd609821c896a4cb342cf0afe7b2
• auto_proc32
• 2e55ae88c67b1d871049af022cc22aac
• auto_proc64
• b2d76d715a81862db84f216112fb6930
• auto_opencl_amd32
• a24fd434ffc7d3157272189753118fbf
• auto_opencl_amd64
• 117f978f07a658bce0b5751617e9d465
• auto_miner32
• 768857d6792ee7be1e1c5b60636501e5
• auto_miner64
• e8aed94c43c8c6f8218e0f2e9b57f083
• upnp32
• 8cf5c72217c1bb48902da2c83c9ccd4e
• upnp64
• b2824d2007c5a1077856ae6d8192f523
• smb32
• 6915dd5186c65891503f90e91d8716c6
• smb64
• cd68adc0fbd78117521b7995570333b2