{
	"id": "e5fafcfa-dbd3-4a81-8290-d6e94c648c07",
	"created_at": "2026-04-06T00:15:45.34205Z",
	"updated_at": "2026-04-10T03:20:29.829936Z",
	"deleted_at": null,
	"sha1_hash": "c04dfc6d0f36012ef9c8b3689d6207d322ce7778",
	"title": "Plurox: Modular backdoor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 339269,
	"plain_text": "Plurox: Modular backdoor\r\nBy Anton Kuzmenko\r\nPublished: 2019-06-18 · Archived: 2026-04-05 21:38:35 UTC\r\nIn February this year, a curious backdoor passed across our virtual desk. The analysis showed the malware to have\r\na few quite unpleasant features. It can spread itself over a local network via an exploit, provide access to the\r\nattacked network, and install miners and other malicious software on victim computers. What’s more, the\r\nbackdoor is modular, which means that its functionality can be expanded with the aid of plugins, as required. Post-analysis, the malware was named Backdoor.Win32.Plurox.\r\nKey features\r\nPlurox is written in C and complied with Mingw GCC, and judging by the presence of debug lines, the malware\r\nwas at the testing stage when detected.\r\nDebug lines in the samples we found\r\nThe backdoor uses the TCP protocol to communicate with the C\u0026C server; plugins are loaded and directly\r\ninterfaced via two different ports, which are stitched into the body of Plurox; the C\u0026C addresses are also\r\nhardcoded into the bot. When monitoring the malware’s activity, we detected two “subnets.” In one, Plurox\r\nreceives only miners (auto_proc, auto_cuda, auto_gpu_nvidia modules) from the C\u0026C center, while in the other,\r\nbesides miners (auto_opencl_amd, auto_miner), it is passed several plugins, which will be discussed later.\r\nThe Plurox family has virtually no encryption, only a few 4-byte keys are applied for the regular XOR cipher. The\r\npacket for calling the C\u0026C server looks as follows:\r\nhttps://securelist.com/plurox-modular-backdoor/91213/\r\nPage 1 of 7\n\nThe buffer contains an XORed string with the key at the start of the packet. The response from the C\u0026C center\r\ncontains the command to be executed, plus data for its execution, which is encrypted using XOR. When the plugin\r\nis loaded, the bot itself selects the required bitness and requests both auto_proc and auto_proc64. In response there\r\narrives a packet with an encrypted plugin, the usual MZ-PE.\r\nSupported commands\r\nThe Plurox version we found supports a total of seven commands:\r\nDownload and run files using WinAPI CreateProcess\r\nUpdate bot\r\nDelete and stop (delete own service, remove from autoload, delete files, remove artifacts from registry)\r\nDownload and run plugin\r\nStop plugin\r\nUpdate plugin (stop process and delete file of old version, load and start new one)\r\nStop and delete plugin\r\nhttps://securelist.com/plurox-modular-backdoor/91213/\r\nPage 2 of 7\n\nPlugins\r\nDuring the monitoring, we managed to detect several Plurox plugins and study them all.\r\nPlugin miners\r\nThe malware can install on the victim computer one of several cryptocurrency miners, depending on the particular\r\nsystem configuration. The bot sends the package with the system configuration to the C\u0026C server, and in response\r\nit receives information about which plugin to download. We counted eight mining modules in total, whose\r\nfeatures can be guessed from their names:\r\nauto_proc\r\nauto_cuda\r\nauto_miner\r\nauto_opencl_amd\r\nauto_gpu_intel\r\nauto_gpu_nvidia\r\nauto_gpu_cuda\r\nauto_gpu_amd\r\nUPnP plugin\r\nThe module receives from the C\u0026C a subnet with mask /24, retrieves all IP addresses from it, and attempts to\r\nforward ports 135 (MS-RPC) and 445 (SMB) for the currently selected IP address on the router using the UPnP\r\nprotocol. If successful, it reports the result to the C\u0026C center, waits for 300 seconds (5 minutes), and then deletes\r\nhttps://securelist.com/plurox-modular-backdoor/91213/\r\nPage 3 of 7\n\nthe forwarded ports. We assume that this plugin can be used to attack a local network. It would take an attacker\r\njust five minutes to sort through all existing exploits for services running on these ports. If the administrators\r\nnotice the attack on the host, they will see the attack coming directly from the router, not from a local machine. A\r\nsuccessful attack will help the cybercriminals gain a foothold in the network.\r\nAccording to its description, the plugin is very similar to EternalSilence, except that port 135 is forwarded instead\r\nof 139. See this Akamai article for details of EternalSilence:\r\n{\"NewProtocol\": \"TCP\", \"NewInternalPort\": \"445\", \"NewInternalClient\": \"192.168.10.165\",\r\n\"NewPortMappingDescription\": \"galleta silenciosa\", \"NewExternalPort\": \"47622\"}\r\nAnd here’s the Plurox plugin template:\r\n\u003cNewProtocol\u003eTCP\u003c/NewProtocol\u003e\r\n\u003cNewInternalPort\u003e%d\u003c/NewInternalPort\u003e\r\n\u003cNewInternalClient\u003e%s\u003c/NewInternalClient\u003e\r\n\u003cNewEnabled\u003e1\u003c/NewEnabled\u003e\r\n\u003cNewPortMappingDescription\u003egalleta silenciosa\u003c/NewPortMappingDescription\u003e\r\nIn the two examples, a matching line is highlighted — a description of port forwarding.\r\nhttps://securelist.com/plurox-modular-backdoor/91213/\r\nPage 4 of 7\n\nSMB plugin\r\nThis module is responsible for spreading malware over the network using the EternalBlue exploit. It is identical to\r\nthe wormDll32 module from Trojan.Win32.Trickster, but with no debug lines in the code, plus the payload in\r\nthe exploit is loaded using sockets.\r\nLeft: Plurox SMB plugin injected code, right: WormDll injected code\r\nLeft: Plurox SMB plugin NetServerEnum, right: Trickster WormDll NetServerEnum\r\nAs can be seen in these samples, not only is the injected code similar, but also the code for standard procedures.\r\nBased on this, we can assume that the analyzed samples were taken from the same source code (commented lines\r\nhttps://securelist.com/plurox-modular-backdoor/91213/\r\nPage 5 of 7\n\nin the Trickster plugin are missing in the Plurox plugin), which means the respective creators of Plurox and\r\nTrickster may be linked.\r\nKaspersky security solutions detect the bot and its plugins with the verdicts Backdoor.Win32.Plurox and\r\nHEUR:Trojan.Win32.Generic.\r\nIoC\r\nC\u0026C servers\r\n178.21[.]11.90\r\n185.146[.]157.143\r\n37.140[.]199.65\r\n194.58[.]92.63\r\nobuhov2k[.]beget[.]tech\r\nwebdynamicname[.]com\r\n37.46[.]131.250\r\n188.93[.]210.42\r\nMD5\r\nMain body\r\n59523DD8F5CE128B68EA44ED2EDD5FCA\r\nC4A74D79030336A0C3CF60DE2CFAE9E9\r\nCECFD6BCFDD56B5CC1C129740EA2C524\r\nBE591AA0E48E496B781004D0E833E261\r\nTrickster Worm module\r\nf233dd609821c896a4cb342cf0afe7b2\r\nauto_proc32\r\n2e55ae88c67b1d871049af022cc22aac\r\nauto_proc64\r\nb2d76d715a81862db84f216112fb6930\r\nauto_opencl_amd32\r\na24fd434ffc7d3157272189753118fbf\r\nauto_opencl_amd64\r\n117f978f07a658bce0b5751617e9d465\r\nauto_miner32\r\n768857d6792ee7be1e1c5b60636501e5\r\nauto_miner64\r\ne8aed94c43c8c6f8218e0f2e9b57f083\r\nupnp32\r\n8cf5c72217c1bb48902da2c83c9ccd4e\r\nupnp64\r\nb2824d2007c5a1077856ae6d8192f523\r\nhttps://securelist.com/plurox-modular-backdoor/91213/\r\nPage 6 of 7\n\nsmb32\r\n6915dd5186c65891503f90e91d8716c6\r\nsmb64\r\ncd68adc0fbd78117521b7995570333b2\r\nSource: https://securelist.com/plurox-modular-backdoor/91213/\r\nhttps://securelist.com/plurox-modular-backdoor/91213/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/plurox-modular-backdoor/91213/"
	],
	"report_names": [
		"91213"
	],
	"threat_actors": [],
	"ts_created_at": 1775434545,
	"ts_updated_at": 1775791229,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c04dfc6d0f36012ef9c8b3689d6207d322ce7778.pdf",
		"text": "https://archive.orkl.eu/c04dfc6d0f36012ef9c8b3689d6207d322ce7778.txt",
		"img": "https://archive.orkl.eu/c04dfc6d0f36012ef9c8b3689d6207d322ce7778.jpg"
	}
}