The PlugX USB worm is a variant of PlugX, a Chinese malware first detected in 2008. This mutation allows it to replicate through infected USB keys in the machines to which they are connected.
The worm is in the fruit again. Just like its distant cousin Rasperry Robin, which resurfaced in April 2024 after 3 years of sleep, PlugX returns, for the third time since its appearance in 2008. This V3 has nothing to envy of its ancestors, since it is now autonomous.
Indeed, PlugX USB, as its new name indicates, is capable of infiltrating the heart of USB keys, which will infect machines simply by connecting to them, without any execution necessary on the part of the user. Magic? No, engineering.
The best part of this story is that the unique IP address, which served as a catalyst for the worm to infect USB media, was abandoned by its creator, leaving PlugX USB for dead. However, this was not knowing Felix Aimé, Charles M. and TDR (Threat Detection & Research), researchers at Sekoia, who managed to create a trap into which all the IP infected by this worm fall, thus reducing it to nothing. . Or almost.
A trap that captures the IP addresses of machines infected by PlugX USB and creates a profile of the hackers
Tracking this worm across cyberspace, researchers discovered that it was still active, although linked to an abandoned IP address. They then bought it to transform it into a real trap.
And what was supposed to amount to a harvest of a few thousand victims turned into a miraculous catch. “ In total, between 90 and 100,000 unique IP addresses send distinctive PlugX requests to our sinkhole server every day since September 2023 », they note. Thus, more than 2 million infected machines across 170 countries have been identified.
They were thus able to establish a map of these infected IP addresses in order to determine the origin and the unstated goal of the creators of the worm. And even if, as they point out on their blog, their conclusions should be taken with a grain of salt, their analyzes seem to point to a well-known culprit in cyber space: China.
Indeed, the Chinese “Belt & Road Initiative” attracts many countries, except India. Intended to revive the ancient Silk Road to revitalize the international market, this measure involves significant Chinese investments, especially in coastal countries, if we are to believe the massive spread of PlugX USB in these regions. But nothing is less certain, because from now on, China is investing everywhere.
The difficult choice: let the worm continue to spread or disinfect the systems blindly
Since this trap works and collects IP addresses, researchers simply need to trace these addresses to the owners of the infected machines and offer them a major spring cleaning of their system.
Yes, but everything is not as simple as it seems. Already, a total disinfection of infected systems can lead to the deletion of healthy or essential files or processes. Then, this process has legal limits. Researchers are not legally able to disinfect infected machines that do not belong to them from their server. Finally, there is a risk of reinfection in the more or less short term for a disinfected system.
On the other hand, letting PlugX USB live its best life seems a less risky alternative, since the command and control server (the famous C2) has not been active for years. Nay, say the researchers.
“ […] Anyone who controls the IP address or accesses any point in the network path between an infected workstation and the C2 server (even when it is down) can attempt to manipulate the behavior of the worm, to execute a payload, for example. » We will have understood, falling into the wrong hands, PlugX USB could become much more dangerous.
This is why the Sekoia team chose to leave it to the national authorities to decide whether or not to disinfect workstations in their respective countries. They believe this decision should be made by computer emergency response teams (CERTs), law enforcement agencies (LEAs), and cybersecurity authorities.
Sources: Ars Technica, Sophos, Sekoia
2