Unplugging PlugX: Sinkholing the PlugX USB worm botnet

In March 2023, Sophos published an article entitled “A border-hopping PlugX USB worm takes its act on the road” putting the light on a PlugX variant with worming capabilities. This vari- ant, created in 2020, aimed to propagate via compromised flash drives, bypass air gaps, infect non internet facing networks and steal documents from them. According to the Sophos blogpost, all of these PlugX samples communicate with only one IP address, 45.142.166[.]112 hosted by GreenCloud.

In September 2023, we managed to take ownership of this IP address to sinkhole that botnet. We initially thought that we will have a few thousand victims connected to it, as what we can have on our regular sinkholes. However, by setting up a simple web server we saw a continuous flow of HTTP requests varying through the time of the day.

Facing that, we decided to record the received requests in a database in order to map the infections. In total, between 90 to 100k unique IP addresses are sending PlugX distinctive requests every day to our sinkhole server since September 2023. If the botnet can be considered as “dead,” as the operators don’t control it anymore, anyone with interception capabilities or taking ownership of this server can send arbitrary commands to the infected host to re-purpose it for malicious activities.

Leave a Comment