Millions of devices still connect to this dangerous malware, despite the creators ditching it years ago
PlugX still gets hundreds of thousands of requests a day
Millions of devices are still connected to the PlugX malware, despite its creators abandoning it months ago, experts have warned.
Cybersecurity analysts Sekoia managed to obtain the IP address associated with the malware’s command & control (C2) server, and observed connection requests over a six-month period.
During the course of the analysis, infected endpoints attempted 90,000 connection requests every day, amounting to 2.5 million connections in total. The devices were located in 170 countries, it was said. However, just 15 of them made up more than 80% of total infections, with Nigeria, India, China, Iran, Indonesia, the UK, Iraq, and the United States making up the top eight.
Still at risk
While at first it might sound like there are many infected endpoints around the world, the researchers did stress that the numbers might not be entirely precise. The malware’s C2 does not have unique identifiers, which messes with the results, as many compromised workstations can exit through the same IP address.
Furthermore, if any of the devices use a dynamic IP system, a single device can be perceived as multiple ones. Finally, many connections could be coming in through VPN services, making country-related statistics moot.
PlugX was first observed in 2008 in cyber-espionage campaigns mounted by Chinese state-sponsored threat actors, the researchers said. The targets were mostly organizations in government, defense, and technology sectors, located in Asia. The malware was capable of command execution, file download and upload, keylogging, and accessing system information. Over the years, it grew additional features, such as the ability to autonomously spread via USB drives, which makes containment today almost impossible. The list of targets also expanded towards the West.
However, after the source code leaked in 2015, PlugX became more of a “common” malware, with many different groups, both state-sponsored and financially-motivated, using it, which is probably why the original developers abandoned it.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Via BleepingComputer
More from TechRadar Pro
- Antivirus updates hijacked to drop dangerous malware
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.