Recently, researchers at cybersecurity firm Sekoia successfully took over the command-and-control (C2) server of a PlugX malware variant, monitoring more than 2.5 million connections from unique IP addresses in six months.
Since Sekoia captured a unique IP address associated with a specific C2 server last September, the server receives more than 90,000 requests a day from infected hosts in more than 170 countries.
With this successful takeover, Sekoia was able to analyze network traffic, map infections, prevent malicious exploitation of customers, and develop an effective cleanup plan.
Take over the PlugX server
Researchers at cybersecurity firm Sekoia bought the corresponding IP address 45.142.166 for a C7 server of the PlugX malware variant that is no longer used by the threat actors for just $2 112。
The C2 IP address was documented in a report published by Sophos in March 2023, which mentioned that the new version of PlugX had spread "almost halfway around the world". And, the malware already has the ability to spread itself through USB devices.
After Seqoia contacted the hosting company and requested control of the IP, the researchers were given shell access to the server that used the IP.
To mimic the behavior of the original C2 server, the researchers built a simple web server that helped the analysts capture HTTP requests from the infected host and observe changes in traffic.
Through this operation, the researchers found that between 90,000 and 100,000 systems sent requests every day, and over a six-month period, more than 2.5 million unique IP addresses connected to the servers from around the world.
Infection with specific PlugX variants (Image source: Sekoia)
Although the worm has spread to 170 countries, only 15 of them account for more than 80% of all infections, with Nigeria, India, China, Iran, Indonesia, the United Kingdom, Iraq and the United States at the top of the list.
The researchers emphasize that the PlugX C2 servers that were taken over do not have unique identifiers, which leads to an unreliable count of the number of infected hosts:
- Many compromised workstations may exit from the same IP address
- Thanks to dynamic IP address assignment, an infected system can use multiple IP addresses to connect
- Many connections are made through VPN services, which can make the country of origin irrelevant
The company Sekoia believes that the malware campaign has been going on for four years and that it has had enough time to spread around the world.
Percentage of countries with 100,000 active infection cases set (Image source: Sekoia)
Over the years, the PlugX Malware has turned into a common tool and is used by various threat actors, some of whom are involved in financially motivated activities, such as ransomware.
Clear the challenge
Sekoia has proposed two tactics for the removal of the PlugX malware and has called on national cybersecurity teams and law enforcement agencies to join them.
- Self-Delete Command: PlugX's built-in self-delete feature allows you to remove it from an infected computer without additional action. It is important to note that despite the removal of malware, there is a risk of reinfection due to the fact that PlugX can spread through USB devices.
- Custom payloads: Develop and deploy a custom payload to infected computers, wiping PlugX from the system and from the infected USB drives connected to those computers.
Sekoia also highlighted the legal complexities of the clean-up effort and offered to provide the National Computer Emergency Response Team (CERT) with the necessary information so that they can carry out the so-called "sovereign sanitization" and avoid legal problems across borders.
Sekoia noted that the current cleanup methods are out of reach for isolated networks and unconnected infected USB drives that have already been affected by PlugX. However, since the malware operators have lost control, the botnet built with the takeover version of PlugX can be considered "dead".
However, anyone with the ability to intercept, or control the C2 server, could reactivate the botnet for malicious purposes by sending arbitrary commands to the infected host.
PlugX背景
Since 2008, PlugX has been primarily used for espionage and remote access operations, often targeting government, defense, technology, and political organizations, initially primarily in Asia and later expanding to the West.
Over time, PlugX's build tools surfaced in the public domain, and some researchers believe that the malware's source code was leaked around 2015. This incident, and the fact that the tool has received multiple updates, makes it difficult to attribute PlugX to a specific actor or agenda.
The malware has a wide range of capabilities, including command execution, uploading and downloading files, logging keystrokes, and accessing system information, among other things.
A recent variant of PlugX has a worm component that is capable of spreading autonomously by infecting removable drives, such as USB flash drives, and potentially reaching isolated network systems.