Search This Blog

Powered by Blogger.

Blog Archive

Labels

Researchers Successfully Sinkhole PlugX Malware Server, Recording 2.5 Million Unique IPs

The acquisition of the C2 server's IP address, at the cost of $7, was facilitated by Sekoia's researchers.

 

Researchers successfully seized control of a command and control (C2) server linked to a variant of the PlugX malware, effectively halting its malicious operations. Over the span of six months, more than 2.5 million connections were logged from diverse IP addresses worldwide.

Beginning in September 2023, cybersecurity firm Sekoia took action upon identifying the unique IP address associated with the C2 server. Their efforts resulted in the logging of over 2.4 million unique IP addresses from 170 countries, allowing for comprehensive analysis of the malware's spread and the development of effective countermeasures.

The acquisition of the C2 server's IP address, at the cost of $7, was facilitated by Sekoia's researchers. Following this, they gained shell access to the server and set up a mimicry of the original C2 server's behavior. This enabled the capture of HTTP requests from infected hosts and provided insights into the malware's activities.

The sinkhole operation revealed a daily influx of between 90,000 to 100,000 requests from infected systems, originating from various locations worldwide. Notably, certain countries accounted for a significant portion of the infections, with Nigeria, India, China, and the United States among the most affected.

Despite the challenges posed by the malware's lack of unique identifiers and its ability to spread through various means, Sekoia's researchers identified potential strategic interests, particularly in regions associated with China's Belt and Road Initiative.

To address the widespread infection, Sekoia proposed two strategies for disinfection, urging national cybersecurity teams and law enforcement agencies to collaborate. One approach involves sending self-delete commands supported by PlugX, while the other entails the development and deployment of custom payloads to eradicate the malware from infected systems and USB drives.

While the sinkhole operation effectively neutralized the botnet controlled by PlugX, Sekoia warned of the possibility of its revival by malicious actors with access to the C2 server.

PlugX, initially linked to state-sponsored Chinese operations, has evolved into a widely used tool by various threat actors since its emergence in 2008. Its extensive capabilities and recent wormable features pose significant security risks, necessitating collaborative efforts to mitigate its impact.
Share it:

2.5 million unique IPs

Cybersecurity

malware

PlugX malware server

Researchers

sinkhole

threat analysis