PlugX USB worm Infected Over 2.5M Devices

A new menace has emerged, affecting millions of devices worldwide.

The PlugX USB worm, a sophisticated malware, has been reported to have infected over 2.5 million devices, posing a significant threat to global cybersecurity.

The PlugX malware, initially identified several years ago, has gained fame for its resilience and ability to spread through USB drives.

In March 2023, cybersecurity experts at Sophos highlighted a variant of PlugX with enhanced worming capabilities that could jump borders and infiltrate networks undetected.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Infection Spread

By September 2023, the situation escalated when researchers successfully sinkhole a command and control (C2) server associated with the PlugX worms.

For a mere $7, they acquired a unique IP address linked to the worm variant, which revealed a staggering number of infected public IP addresses.

According to Sekoia’s findings, Despite the malware’s inception years prior, daily requests from approximately 90,000 to 100,000 unique IPs were still being sent to the sinkhole.

Over six months, more than 2.5 million unique IPs connected to it, indicating the worm’s extensive reach.

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

• Real-time Detection
• Interactive Malware Analysis
• Easy to Learn by New Security Team members
• Get detailed reports with maximum data
• Set Up Virtual Machine in Linux & all Windows OS Versions
• Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

Try ANY.RUN for FREE

Mitigation

The battle against PlugX took a turn when experts cracked the cryptography of its communications.

This breakthrough allowed the development of disinfection commands that could be sent to compromised workstations.

Two methods were devised: one that cleanses the workstation and another, more intrusive technique that also purges the USB drive.

In an unprecedented move, a concept of sovereign disinfection was proposed. Law enforcement agencies and national Computer Emergency Response Teams were offered the tools to remove the malware from infected hosts remotely.

This approach aims to empower nations to take control of their cybersecurity by eliminating the threat from within their digital borders.

The PlugX USB worm’s vast infection rate is a stark reminder of the persistent threat cybercriminals pose.

While the worm cannot be entirely eradicated, the collaborative efforts of cybersecurity communities have opened a path to mitigating its impact.

The sovereign disinfection process is a novel strategy that offers a glimmer of hope in the fight against pervasive cyber threats.

The PlugX USB worm saga underscores the importance of global cooperation in cybersecurity and the need for continuous vigilance in an ever-changing threat landscape.

As the world becomes increasingly interconnected, resilient and adaptable cybersecurity measures will be paramount in safeguarding our digital future.

Indicators of compromise

Files Hashes

432a07eb49473fa8c71d50ccaf2bc980b692d458ec4aaedd52d739cb377f3428

e8f55d0f327fd1d5f26428b890ef7fe878e135d494acda24ef01c695a2e9136d

3a53bd36b24bc40bdce289d26f1b6965c0a5e71f26b05d19c7aa73d9e3cfa6ff

2304891f176a92c62f43d9fd30cae943f1521394dce792c6de0e097d10103d45

8b8adc6c14ed3bbeacd9f39c4d1380835eaf090090f6f826341a018d6b2ad450

6bb959c33fdfc0086ac48586a73273a0a1331f1c4f0053ef021eebe7f377a292

b9f3cf9d63d2e3ce1821f2e3eb5acd6e374ea801f9c212eebfa734bd649bec7a

Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo