A team of experts have successfully sinkholed a command and control server for a variant of the dangerous PlugX malware and have recorded an astonishing 2.5 million+ unique IP connections in just six months.
The sinkhole server, operated by security firm Sekoia, has received an average of 90,000 requests per day since September 2023 from infected hosts in over 170 countries worldwide.
Using innovative technology, Sekoia has been able to analyze the incoming traffic and map out the infected systems, prevent any malicious activity, and develop effective plans to remove the malware.
An Unconventional Approach to Shutting Down the PlugX Server
The skilled researchers at cybersecurity company Sekoia spent only $7 to gain control of the IP address 45.142.166[.]112, which corresponded to a command and control (C2) server for a variant of PlugX that was no longer in use.
The C2 IP address was initially mentioned in a report by Sophos in March 2023, which stated that a new version of PlugX was spreading rapidly worldwide and could spread via USB devices.
Once Sekoia contacted the hosting company and requested control of the IP, the team was granted access to the server.
The researchers quickly created a replica of the original C2 server by setting up a basic web server, which allowed them to capture HTTP requests from the infected systems and analyze the different patterns of behavior.
The sinkhole operation revealed that, on average, between 90,000 and 100,000 systems were connecting to the server each day and that over a six-month period, more than 2.5 million unique IPs had connected from various countries around the globe.
Sekoia
Out of the 170 countries affected, it was found that just 15 of them made up over 80% of the total infections. The top 8 countries were Nigeria, India, China, Iran, Indonesia, the UK, Iraq, and the United States.
Sekoia notes that it can be challenging to determine the exact number of infected systems due to the lack of unique identifiers in this version of PlugX. The following factors could affect the accuracy of the count:
- Multiple compromised systems can use the same IP address to connect
- Due to dynamic IP addressing, one infected system can connect via multiple IP addresses
- Many connections are made through VPN services, making it difficult to determine the source country
Despite this, the team at Sekoia believes that the majority of the infections were strategically targeted in countries participating in China’s Belt and Road Initiative. However, they also acknowledge that the malware has had enough time to spread worldwide, making it challenging to draw any concrete conclusions.
Sekoia
Although PlugX was originally linked to state-sponsored attacks from China, it has since been used by various threat actors involved in criminal activities such as ransomware.
The Process of Removing PlugX from Infected Systems
Sekoia has developed two strategies for removing the malware from these infected systems and is calling for the involvement of national cybersecurity teams and law enforcement agencies to help.
The first method involves sending a self-delete command supported by PlugX, which should effectively remove it from the system with no further actions required.
However, there is still a risk of re-infection, especially if the system is connected to an infected USB device. In these cases, Sekoia recommends a more complex approach.
This method requires developing and implementing a tailored payload on the infected system, which will not only remove PlugX from the host but will also target any infected USB devices connected to it.
Sekoia has offered to share the necessary information with national CERTs to enable them to perform effective “sovereign disinfection” without the complexities of sending commands to other people’s workstations.
However, it is important to note that any air-gapped systems infected with PlugX are beyond reach, and the same goes for infected USB drives that are not currently connected to a device.
After analyzing the data collected from the sinkhole, the researchers at Sekoia believe that the botnet built with this version of PlugX can be considered as “dead” since the malware operators are no longer in control.
However, the team warns that anyone with the capability of intercepting traffic or hijacking the C2 server could potentially use this botnet for malicious purposes in the future.
The History and Capabilities of PlugX
The infamous PlugX malware has been in use since 2008, and it is primarily associated with espionage and remote access attacks from groups linked to the Chinese Ministry of State Security.
The malware has been used by multiple attack groups to target government, defense, technology, and political organizations, mainly in Asia. However, in recent years, it has also expanded its reach to the West.
Despite various attempts to attribute PlugX to a specific actor or agenda, the constant updates and the release of the source code have made it challenging to determine its origins accurately.
The malware includes a wide range of capabilities, such as command execution, file uploads and downloads, keystroke logging, and access to system information.
In its most recent variant, PlugX has even gained the ability to spread autonomously by infecting removable drives like USB flash drives, potentially allowing it to reach systems that are not connected to the internet.