Millions of devices still connect to this dangerous malware, despite the creators ditching it years ago

by DTM | Posted on

Millions of devices are still connected to the PlugX malware, despite its creators abandoning it months ago, experts have warned.

Cybersecurity analysts Sekoia managed to obtain the IP address associated with the malware’s command & control (C2) server, and observed connection requests over a six-month period.

During the course of the analysis, infected endpoints attempted 90,000 connection requests every day, amounting to 2.5 million connections in total. The devices were located in 170 countries, it was said. However, just 15 of them made up more than 80% of total infections, with Nigeria, India, China, Iran, Indonesia, the UK, Iraq, and the United States making up the top eight.

Still at risk

While at first it might sound like there are many infected endpoints around the world, the researchers did stress that the numbers might not be entirely precise. The malware’s C2 does not have unique identifiers, which messes with the results, as many compromised workstations can exit through the same IP address.

Furthermore, if any of the devices use a dynamic IP system, a single device can be perceived as multiple ones. Finally, many connections could be coming in through VPN services, making country-related statistics moot.

PlugX was first observed in 2008 in cyber-espionage campaigns mounted by Chinese state-sponsored threat actors, the researchers said. The targets were mostly organizations in government, defense, and technology sectors, located in Asia. The malware was capable of command execution, file download and upload, keylogging, and accessing system information. Over the years, it grew additional features, such as the ability to autonomously spread via USB drives, which makes containment today almost impossible. The list of targets also expanded towards the West.

However, after the source code leaked in 2015, PlugX became more of a “common” malware, with many different groups, both state-sponsored and financially-motivated, using it, which is probably why the original developers abandoned it.

Via BleepingComputer 

More from TechRadar Pro