This year, experts discovered a modular backdoor that delivers one of eight different cryptographers to infected systems, as well as delivering malicious plugins that use UPnP and SMB protocols.
Written in C and compiled with Mingw GCC, the malware, was dubbed Plurox, was discovered last February by Kaspersky experts who are confident they have discovered the backdoor while it was still under testing.
Plurox accesses its C2 server and receives TCP commands, as part of the process of determining which malicious plugins to install and operate on the infected device, according to Kaspersky ‘s blog on June 18, written by specialist Anton Kuzmenko.
Kasersky employees said they discovered two subnets while monitoring backdoor activity. The first receives cryptographers, and the second both mainers and plugins using Universal Plug and Play network protocol and Server Message Block internet protocol.
Kaspersky found eight miners as auto_proc, auto_cuda, auto_miner, auto_opencl_amd, auto_gpu_intel, auto_gpu_nvidia, auto_gpu_cuda and auto_gpu_amd. The malware informs the C2 server of the system configuration of the hacked computer, then gets back information about which of these eight plug-ins to download.
The main purpose of plugins using UPnP and SMB is to install a bridgehead in the network of the infected machine and spread as a virus, writes specialist Kuzmenko. Kaspersky notes that the UPnP plugin is quite similar to the ANSA Nintendo Silence exploit, while the SMB module distributes malware using the actual ANSA Nintendo Blue exploit.