Malware tied to China detected in more than 170 countries, researchers say

The PlugX malware is associated with the Chinese Ministry of State Security.

 Game, Toy

A strain of malware associated with the Chinese Ministry of State Security has been detected in over 170 countries, as revealed by cybersecurity experts who gained control of a command and control server linked to it.

Sekoia, a cybersecurity firm, reported that they successfully seized control of the server in September 2023, unveiling a wealth of information regarding the spread of the PlugX malware. Originally developed by front organisations affiliated with the Chinese ministry in 2008, PlugX has been extensively used by various espionage groups within the country. In 2020, a threat actor known as Mustang Panda augmented the malware, enabling it to spread through connected USB flash drives, aiming to infiltrate non-connected networks. Mustang Panda, notorious for targeting governments involved in the Belt and Road Initiative, is suspected to be behind PlugX’s deployment.

Outbreaks of PlugX were observed in 2022 in Papua New Guinea and Ghana, and in 2023, cybersecurity researchers at Sophos observed localised outbreaks of a new PlugX variant disseminated via USB drives in Mongolia, Zimbabwe, and Nigeria.

Sekoia’s team acquired the unique IP address linked to the variant identified by Sophos for $7 and found that ‘between 90 to 100k unique IP addresses are sending PlugX distinctive requests every day.’

In a snapshot of PlugX activity over one day, Sekoia found that over 80% of total infections were concentrated in approximately 15 countries, with Nigeria, India, Iran, and Indonesia leading the count.

Sekoia noted that the leading infected countries displayed few similarities, suggesting the malware may have originated from multiple sources globally. They speculated that the malware’s development might be linked to gathering intelligence on the strategic and security aspects of the Belt and Road Initiative, especially its maritime and economic dimensions.

Sekoia eventually uncovered a method to command the malware to self-destruct, effectively disinfecting a system. However, they expressed concerns about the potential legal ramifications of executing a widespread disinfection campaign, typically undertaken only by law enforcement agencies like the FBI.

Ultimately, they decided to delegate the decision of disinfection to national Computer Emergency Response Teams (CERTs), law enforcement agencies (LEAs), and cybersecurity authorities, providing them with the necessary tools to remove the implant from infected hosts. The researchers urge that the malware may persist on networks disconnected from the internet and on infected USB devices.