April 25, 2024 at 03:22PM
Researchers sinkholed a PlugX malware server, logging over 2.5 million unique IP connections from 170 countries in six months. Sekoia obtained control of the server and observed self-spreading capabilities, indicating global infections. They aim to disinfect impacted computers with self-delete commands, but highlight the challenge of re-infection via USB devices. The malware, initially linked to state-sponsored Chinese operations, poses persistent security threats.
Key Takeaways from Meeting Notes:
1. Sinkholing of PlugX Malware C2 Server:
– Seqoia researchers sinkholed a command and control server for a variant of the PlugX malware and observed over 2.5 million connections from unique IP addresses in six months.
– The security firm’s action enabled analysis of traffic, mapping of infections, prevention of malicious exploitation of clients, and development of effective disinfection plans.
2. Control of the PlugX Server:
– Seqoia researchers acquired the IP address of a command and control server for a variant of the PlugX malware and obtained shell access to the server after contacting the hosting company.
– A web server was set up to mimic the original C2 server’s behavior, allowing capture of HTTP requests from infected hosts and observation of variations in the flow.
3. Infections of the PlugX Variant:
– While the worm spread to 170 countries, just 15 of them account for over 80% of the total infections. Nigeria, India, China, Iran, Indonesia, the UK, Iraq, and the United States are at the top of the list.
– Many compromised workstations can exit through the same IP address, and dynamic IP addressing and VPN services can lead to unreliable counts of infected hosts.
4. Disinfection Challenges:
– Sekoia formulated two strategies to clean computers reaching their sinkhole and called for national cybersecurity teams and law enforcement agencies to join the disinfection effort.
– The cybersecurity firm is offering to provide national CERTs with the required information to perform “sovereign disinfection” and has highlighted the challenges of disinfecting air-gapped networks already impacted by PlugX and infected USB drives.
5. PlugX Background:
– PlugX has been used since at least 2008 primarily in espionage and remote access operations from groups linked to the Chinese Ministry of State Security, and it has been used by multiple attack groups for targeting government, defense, technology, and political organizations.
– A recent variant of PlugX features a wormable component, allowing it to spread autonomously by infecting removable drives such as USB flash drives and potentially reaching air-gapped systems.