New Plurox malware is a backdoor, cryptominer, and worm, all packed into one

A new strain of malware has been spotted in the wild by the Kaspersky security team. Named Plurox, this new malware is a cut above the usual malware strains security researchers encounter on a daily basis.

According to Kaspersky, Plurox, despite being in early testing, has some pretty advanced features and can act as a backdoor into infected enterprise networks, can spread laterally to compromise even more systems, and can mine cryptocurrencies using one of eight different plugins.

In other words, the malware can work as a backdoor trojan, a self-spreading virus, and a crypto-miner, all at the same time.

Plurox designed around a modular structure

Spotted for the first time in February this year, the malware’s multi-faceted feature-set can be attributed to its modular build.

The malware’s core consists of a primary component that allows Plurox bots (infected hosts) to talk to a command and control (C&C) server.

This communications component is at the center of the Plurox malware. According to Kaspersky, the Plurox crew uses it to download and run files on already infected hosts. These additional files are named “plugins” and is where most of the malware’s features are present.

Kaspersky said it found eight plugins dedicated for cryptocurrency mining (each plugin focused on CPU/GPU mining on various hardware configurations), one UPnP plugin, and an SMB plugin.

Plurox’s main purpose: cryptomining

After analyzing how the malware talked to its C&C server, researchers said they quickly realized that the malware’s main purpose was cryptocurrency mining.

“When monitoring the malware’s activity, we detected two ‘subnets’,” said Anton Kuzmenko, Kaspersky researcher.

In one subnet, Plurox bots received only mining modules, and in the second subnet, all modules were available for download.

The purpose of these two separate communication channels is unknown; however, it…

Source Link