**Researchers Take Control of PlugX Malware Variant C2 Server**
In a recent development reported by BleepingComputer, research experts at cybersecurity firm Sekoia successfully gained control over a command and control (C2) server belonging to a variant of the PlugX malware. After six months of monitoring, they observed connections from over 2.5 million unique IP addresses.
The server, linked to a specific C2 server IP captured by Sekoia in September last year, has been receiving more than 90,000 requests daily from infected hosts in over 170 countries. This successful takeover allowed Sekoia to analyze network traffic, map the distribution of infections, prevent malicious exploitation of clients, and formulate effective eradication plans.
Sekoia’s researchers purchased the IP address 45.142.166[.]112 associated with the PlugX malware variant C2 server for a mere $7. This IP address was referenced in a report by Sophos dated March 2023, which mentioned the spread of a new version of PlugX to locations “nearly half a globe apart.” Additionally, the malware now has the capability to self-propagate through USB devices.
After contacting the hosting company to gain control of the IP, researchers acquired shell access to the server. To mimic the behavior of the original C2 server, they set up a basic web server to capture HTTP requests from infected hosts and monitor traffic variations.
The researchers discovered that between 90,000 to 100,000 systems sent requests daily, with over 2.5 million unique IP addresses connecting to the server from around the world over the course of six months. While the worm virus spread to 170 countries, infections in 15 countries accounted for over 80% of all infections, with Nigeria, India, China, Iran, Indonesia, the UK, Iraq, and the US leading the list.
Sekoia highlighted the lack of unique identifiers on the hijacked PlugX C2 server, making statistics on the number of infected hosts less reliable. The company believes the malware has been active for four years, allowing it sufficient time to spread globally.
PlugX malware has become a commonly used tool over the years, utilized by various threat actors, some of whom engage in profit-driven activities such as ransomware. Sekoia proposed two strategies for eradicating the PlugX malware and called upon national cybersecurity teams and law enforcement agencies to join the effort.
The strategies include utilizing PlugX’s self-deletion function to remove it from infected computers without additional steps, and developing and deploying a custom payload to eliminate PlugX from infected computers and connected USB drives.
Sekoia emphasized the legal complexities of the eradication process and suggested providing essential information to national Computer Emergency Response Teams (CERTs) to enable “sovereign disinfection” and avoid transnational legal issues.
Despite current eradication methods being unable to reach isolated networks and unconnected infected USB drives, Sekoia stated that the use of the hijacked PlugX version to construct a zombie network could be deemed “dead” as the malware operators have lost control. However, individuals with interception capabilities or control over C2 servers could potentially reactivate the zombie network for malicious purposes.
Since 2008, PlugX has primarily been used for espionage and remote access operations, targeting government, defense, technology, and political organizations initially in Asia and later expanding to the Western world. With its wide-ranging capabilities including command execution, file uploads and downloads, keylogging, and system information access, PlugX remains a potent threat in the cybersecurity landscape. One recent variant even features a worm component that can self-propagate through removable drives like USB flash drives and could potentially breach isolated network systems.