US Cracks Down on Chinese Malware: FBI Disables PlugX

PlugX Malware - Infiltration Malware Remotely Controlled Through Single IP Server

Malwares have been the bane of the IT industry because of repercussions that will cause massive damages and even endanger societies. Solely made for nefarious reasons, malwares aim to destroy devices and files as well as steal sensitive information - all without the knowledge of the victim and attacks are only discovered later.

These attacks are not just directed to individuals and private companies. As society is becoming more and more reliant on IT, governments have also worked their way to integrate their services online - which leads to vulnerabilities in security. Unfortunately, attacks from suspicious entities are far and wide.

PlugX Malware

An extremely notorious malware known to infiltrate both private and public entities is the PlugX Malware - and they are not just your run of the mill malware. According to a recent filing by the U.S. Department of Justice, the PlugX Malware was created by a group of hackers called Mustang Panda and they took payment from the Chinese government in creating this malware.

In the same filing, the U.S. Department of Justice noted the attacks have been widespread:

“The FBI’s multi-year investigation of Mustang Panda has confirmed that this group of computer hackers has infiltrated the computer systems of numerous government and private organizations, including in the United States. Significant foreign targets include European shipping companies in 2024, several European Governments from 2021 to 2023…worldwide Chinese dissident groups, and governments throughout the IndoPacific.”

The PlugX malware works to infiltrate systems and send information to a server. Once the malware is active, the infected device can send information to a C2 server with an IP address of 45.142.166.112. A C2 server could also send commands to the infected device - a very dangerous scenario considering the communication between a server and the device could be done without any user authorization.

PlugX Malware Evolution

The malware even evolved into something more notorious that could have been a bigger problem. According to a report from Sophos, the malware was able to infect devices through USB ports - an infected device could spread the malware through USB devices as soon as it's plugged-in to a non-infected device. Using DLL sideloading, it could execute its command and infect the device in an instant.

Unfortunately, infection of this malware has been widespread as it was recorded to numerous countries and not just in Europe, US and IndoPacific countries. According to The Record, more than 170 countries as identified by their IP addresses have tried to communicate with the C2 server because of the malware.

Pulling the Plug

All these security concerns with regards to PlugX malware have been fortunately addressed and additional actions have been taken. Sekoia, a security research team was able to take control the IP address tied to the C2 server as reported in their blog post:

“In September 2023, we successfully sinkholed a command and control server linked to the PlugX worms. For just $7, we acquired the unique IP address tied to a variant of this worm, which had been previously documented by Sophos.”

While they were able to take hold of the IP address and pull the plug on the malware’s remote access capability, access has been widespread - more than 2.5 million IP addresses have tried to connect to the server.

Stopping the malware’s server and taking over its sole IP address is just one part of the equation. According to The Register, the FBI was able to secure a total of nine warrants that will allow them to remotely remove the malware, remove the registry keys, delete the related directory as well as the temporary files. In the US, those who were affected by the malware will be notified by their ISPs.