TechnologyTop Stories
GBO_Malware

Millions of devices are still infected with PlugX malware: Experts

PlugX became more of a 'common' malware after the source code was made public in 2015

Experts have cautioned that even though the PlugX malware’s developers abandoned it months ago, millions of devices are still infected with it.

Over six months, cybersecurity analysts Sekoia observed connection requests and were able to obtain the IP (Internet Protocol) address linked to the malware’s command and control (C2) server.

Infected endpoints attempted 90,000 connection requests per day during the analysis period, for a total of 2.5 million connections. It was reported that 170 countries were home to the devices.

Only fifteen, however, accounted for more than 80% of all infections; the top eight countries were Iraq, the United States, Nigeria, India, China, Iran, Indonesia, and the United Kingdom.

Still At Risk

Although there may be a lot of infected endpoints in the world, the researchers made sure to emphasise that the figures may not be exact. Because multiple compromised workstations may exit through the same IP address, the lack of unique identifiers in the malware’s C2 complicates the results.

Moreover, if any of the devices make use of a dynamic IP system, one device may appear to be many. Last but not least, a lot of connections might be arriving via VPN services, rendering statistics about specific countries meaningless.

According to the researchers, PlugX was first noticed in cyber-espionage operations carried out by threat actors backed by the Chinese government in 2008. The targets were primarily Asian organisations in the defence, technology, and government sectors.

The malware could download and upload files, execute commands, keylog, and access system data. With the addition of new features over time, like the capacity to propagate autonomously through USB drives, containment is now nearly impossible. The targets list also grew to include the West.

But PlugX became more of a “common” malware after the source code was made public in 2015. This is likely why the programme’s original creators gave up on it, as it was used by a wide range of organisations with financial and/or state-sponsored motivations.

Related posts

Amid banking crisis, Fed Chair Jerome Powell decides against relaxing monetary policies

GBO Correspondent

Five cybersecurity awareness tips to protect your data against malware apps

GBO Correspondent

Saudi Vision 2030: Kingdom emerges as IT hub, challenges Dubai

GBO Correspondent