Experts Neutralize PlugX Malware Server Linked to 25 Million IP Addresses

An abandoned USB worm PlugX, which backdoored connected devices, continued to self-propagate for many years, even though its creators had long lost control over it. The malware remained active on thousands or even millions of machines, but experts from Sekoia were able to sinkhole the command and control server.

This version of PlugX first became known in 2023, from Sophos’ report. Researchers revealed that the malware became active in 2019, and PlugX gained functionality that allowed it to automatically infect USB drives. These infected drives would attack any new machine they were connected to, enabling the malware to spread autonomously without user intervention.

In general, cybersecurity experts have been aware of PlugX’s existence since 2008. It is believed that this malware was created in China and used by various “government” hacking groups.

Some time ago, for unknown reasons, the worm’s authors abandoned the IP address (45.142.166[.]112) used as the malware’s command and control server. Since no one was controlling the infected machines anymore, the PlugX worm effectively ceased to exist.

However, as reported by Sekoia specialists this week, the worm continued to operate on an undetermined number of machines, likely numbering in the millions.

For $7, researchers acquired the mentioned IP address discarded by the malware operators and established their own server infrastructure, mimicking the behavior of the command and control server, to sinkhole all the malware’s traffic and prevent its use for criminal purposes.

Since then, the experts’ server has been receiving PlugX traffic, with between 90,000 and 100,000 unique IP addresses connecting to it daily. In total, over six months, Sekoia experts recorded around 2.5 million requests from unique IP addresses in 170 countries worldwide.

Similar requests are standard for almost any malware and typically occur at regular intervals, ranging from minutes to days. While the number of IP addresses does not directly indicate the number of infected PlugX machines, the volume of traffic suggests that the worm is still active on thousands or even millions of devices.

The highest number of infected computers is concentrated in Nigeria, followed by India, Indonesia, the UK, Iraq, and the US.

Apparently, 80% of all PlugX infections occurred in 15 countries worldwide. Although at first glance, the leading countries in infection numbers may seem unrelated, it appears that all of them could have had strategic importance for China.

Researchers believe that initially, the campaign aimed to collect intelligence data that the Chinese government could use to achieve its own goals. However, PlugX later spread worldwide, and other hackers began using the malware, including ransomware operators and financially motivated groups.

Sekoia warns that other variants of PlugX remain active, using at least three other command and control servers known to cybersecurity experts. Although there are signs that one of them may have been blocked by someone.

Researchers note that the worm can still be captured by other malicious actors who could, for example, infiltrate the communication channel between the server and infected devices.

This threat presents a dilemma for the governments of affected countries. They can either maintain the status quo without taking action or try to activate PlugX’s self-destruct command embedded in the malware to protect the infected computers. Moreover, by choosing the latter option, they can attempt to not only clean the infected machine itself but also add new functionality to neutralize all infected USB drives that may be connected to the system in the future.

Since the worm affects disks, researchers point out that removing the malware from infected machines risks destroying the data stored on them. On the other hand, leaving everything as is could lead to the worm reproducing again, with the added risk of more re-infections.

Further complicating the decision-making process is the fact that even if all available infected machines are cleaned, the worm will inevitably “survive” in systems that are not connected to the network.

“In light of potential legal issues that may arise from conducting a large-scale cleanup campaign [of infected systems], involving sending arbitrary commands to workstations that do not belong to us, we have decided to leave the resolution of this issue to the discretion of regional CERTs, law enforcement agencies, and cybersecurity authorities,” summarize Sekoia specialists. “Upon receiving a cleanup list, we can grant them access for three months upon request. During this time, in response to any PlugX request from a system that needs cleaning, a removal command will be sent, or an appropriate payload.”

0 / 5

Your page rank:

Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment