By NewsBlogger Researchers at Sekoia cybersecurity company successfully sinkholed a command and control server associated with the PlugX malware, receiving an overwhelming number of requests from infected hosts in over 170 countries, leading to the neutralization of the botnet and highlighting the need for collaborative efforts in combating cyber threats.
At a glance
- Sekoia cybersecurity made a breakthrough in combating PlugX malware by sinkholing a C2 server
- 2.5 million connections from unique IP addresses to the sinkhole server over six months
- Sekoia spent $7 to acquire the IP address of the C2 server for the PlugX malware
- Between 90,000 and 100,000 systems sent requests daily to the sinkhole server
- Sinkholing the PlugX C2 effectively neutralized the botnet associated with the malware
The details
Researchers at Sekoia, a cybersecurity company, recently made a significant breakthrough in combating the PlugX malware by sinkholing a command and control server associated with a variant of the malware.
The researchers observed an astonishing 2.5 million connections from unique IP addresses to the sinkhole server over a period of six months.
Since September 2023, the sinkhole server has received over 90,000 requests daily from infected hosts located in more than 170 countries.
Innovative Strategy to Combat PlugX Malware
In a strategic move, Sekoia reportedly spent $7 to acquire the IP address of the C2 server for the PlugX malware.
This IP address was initially documented in a report by Sophos in March 2023, indicating prior knowledge of the malicious infrastructure.
Sekoia then set up a web server to capture HTTP requests from infected hosts to monitor variations in the flow of traffic.
Global Impact of PlugX Malware
The scale of the infection was staggering, with between 90,000 and 100,000 systems sending requests daily to the sinkhole server.
Surprisingly, just 15 countries accounted for over 80% of the total infections, with China, India, and the United States topping the list.
It was noted that the sinkholed PlugX C2 lacked unique identifiers, making it difficult to obtain an accurate count of infected hosts.
PlugX, a malware initially associated with state-sponsored Chinese operations, has evolved over the years and is now utilized by various threat actors.
The malware boasts extensive capabilities, including command execution, file uploading and downloading, keystroke logging, and system information access.
Notably, a recent variant of PlugX features a wormable component, enabling autonomous spread through removable drives.
Sekoia has taken proactive measures to address the widespread infection, formulating two strategies for cleaning infected computers.
One method involves sending a self-delete command supported by PlugX to remove the malware from compromised systems.
The more intricate approach entails developing and deploying a custom payload on infected machines to eradicate PlugX from the system and infected USB drives.
However, air-gapped networks already impacted by PlugX are deemed beyond reach for disinfection efforts.
The successful sinkholing of the PlugX C2 has effectively neutralized the botnet associated with the malware, rendering it “dead” as the operators no longer maintain control.
Despite its prolonged existence since at least 2008, primarily in espionage and remote access operations, the sinkholing operation marks a significant milestone in combating the pervasive threat posed by PlugX. Sekoia has called upon national cybersecurity teams to collaborate in the disinfection efforts, recognizing the critical importance of collective action in safeguarding against sophisticated cyber threats.
Article X-ray
Sources
Here are all the sources used to create this article:
Facts attribution
This section links each of the article’s facts back to its original source.
If you suspect false information in the article, you can use this section to investigate where it came from.
| bleepingcomputer.com |
|---|
| – Researchers sinkholed a command and control server for a variant of the PlugX malware and observed over 2.5 million connections from unique IP addresses in six months. – The sinkhole server received over 90,000 requests daily from infected hosts in more than 170 countries since September 2023. – Sekoia cybersecurity company spent $7 to acquire the IP address of the C2 server for the PlugX malware. – The C2 IP address was documented in a report from Sophos in March 2023. – Sekoia set up a web server to capture HTTP requests from infected hosts and observe variations in the flow. – Between 90,000 and 100,000 systems were sending requests daily to the sinkhole server. – Just 15 countries accounted for over 80% of the total infections, with China, India, and the United States being at the top of the list. – The sinkholed PlugX C2 does not have unique identifiers, leading to an unreliable count of infected hosts. – PlugX was initially associated with state-sponsored operations of Chinese origin but has been used by various threat actors over the years. – Sekoia has formulated two strategies to clean computers reaching their sinkhole and called for national cybersecurity teams to join the disinfection effort. – One method involves sending a self-delete command supported by PlugX to remove it from computers. – A more complex method involves developing and deploying a custom payload on infected machines to remove PlugX from the system and infected USB drives. – Air-gapped networks already impacted by PlugX are beyond reach for disinfection. – The botnet built with the sinkholed version of PlugX can be considered “dead” because the malware operators are no longer in control. – PlugX has been used since at least 2008 mainly in espionage and remote access operations. – The malware features extensive capabilities including command execution, uploading and downloading files, logging keystrokes, and accessing system information. – A recent variant of PlugX features a wormable component, allowing it to spread autonomously by infecting removable drives. |
