Millions of devices are still connected to the PlugX malware despite its creators abandoning it months ago, experts warn.
Cybersecurity analysts Sekoia managed to determine the IP address associated with the malware’s command & control (C2) server, and observed connection requests over a six-month period.
During the analysis, infected endpoints attempted 90,000 connection requests every day, for a total of 2.5 million connections. The devices were located in 170 countries, it said. However, only 15 of these accounted for more than 80% of the total number of infections, with Nigeria, India, China, Iran, Indonesia, Britain, Iraq and the United States making up the top eight.
Still in danger
While it may initially seem like there are many infected endpoints worldwide, the researchers emphasize that the numbers may not be completely accurate. The malware’s C2 has no unique identifiers, which clouds the results because many infected workstations can be shut down via the same IP address.
In addition, if one of the devices uses a dynamic IP system, a single device can be seen as multiple. Finally, many connections could come in through VPN services, making country-related statistics moot.
PlugX was first observed in 2008 in cyber espionage campaigns by Chinese state-sponsored threat actors, the researchers said. The targets were mainly organizations in the government, defense and technology sectors, based in Asia. The malware was able to execute commands, download and upload files, keylogging and accessing system information. Over the years, additional features have been added, such as the ability to propagate autonomously via USB drives, which makes containment almost impossible today. The list of targets also expanded towards the West.
However, after the source code was leaked in 2015, PlugX became more of a ‘regular’ malware, with many different groups, both state-sponsored and financially motivated, using it, which is likely why the original developers abandoned it.
Through BleepingComputer