PlugX Infections — Is that You?

The French Government sees the massive number of PlugX infections as a national threat. PlugX is malware used by Nation State threat actors to get inside networks. Sekoia was part of a sinkholing action that uncovered thousands of locations where PlugX is deployed. Should you be concerned? How do you discover if you have a lingering PlugX threat on your network?

Yes, you should be concerned. The Shadowserver Foundation is working with Sekoia and other peer groups to provide details of computers inside your network that have PlugX installed. If PlugX is installed in your network, it means:

• Somehow, and sometimes, a Nation State Threat Actor got malware into your network.
• Over time, your endpoint protection and anti-virus have not removed PlugX from the devices in your network.
• If there is PlugX in your network, expect the threat actors to have a foothold inside your network. It would be best to do a detailed investigation.

Q. How do you know if PlugX is inside my network?

A. Subscribe to the Shadowserver Foundation’s free Cyber Civil Defence Reporting and check the reports for devices that are “sinkholed” (see below for an explanation of a sinkhole).

With the PlugX version that is presently sinkholed, there are ~9000 devices running PlugX (see below).

What is a Sinkhole Operation?

Sinkhole operations capture the DNS or IPs of the malware’s Command & Control (C&C). This allows all bots, malware, and infections to “check in” with the sinkhole C&C, allowing for victim notification. Malware will deploy tools to stay inside the network. Often, Endpoint Protection will not find these malware deployments inside your network. Sinkhole operations are one tool the community uses to grab the C&C, collect the list of malware deployed, and then notify the victims.

In this case, Sekoia.io performed a PlugX Sinkhole. Sekoia works with the community to take action to alert victims. The Shadowserver Foundation was one of those partners Sekoia to enable victim notification.

Governments also participate, as stated in the French CYBERCRIME (J3) — DISMANTLING THE PLUGX BOTNET — PRESS RELEASE:

“Following a report from the Sekoia.io company, the J3 section of the Parquet de Paris opened a preliminary investigation entrusted to the C3N (Centre for the Fight against Digital Crime of the National Gendarmerie, Commandement du ministère de l’Intérieur dans le cyberespace (COMCYBER-MI) ) concerning a network of zombie machines (botnets) with several million victims worldwide, including several thousand in France. This botnet has been used in particular for espionage purposes.”

How do you find out if PlugX is on your network?

Subscribe to the Shadowserver Foundation’s free Cyber Civil Defence reporting. Data on PluX and other infections would be listed in the CRITICAL: Sinkhole Events Report. Look for “PlugX” in the “​​

Here are two examples (sanitized):

The detailed timestamp allows organizations to use the firewall, NAT, and CGNAT logs to find the specific details of the PlugX infection.

Are you looking for low-cost & effective cyber security & resiliency?

Do your homework before spending $$$ on vendor solutions that try to match many of the public benefit cybersecurity tools. Reach out to a community with decades of experience who seek to help organizations minimize their cybersecurity risk through essentials that leverage public benefit services. Cyber Civil Defence tools like Shadowserver.org provide organizations with quality that cannot be matched through commercial alternatives.

• Subscribe to the Senki Community Mailing List. Stay connected to Surfing Cybersecurity practical advice and critical “do this now” operation security recommendations by email.
• Subscribe to the Shaodwserver Foundation’s and Senki’s YouTube Channels. Catch videos designed to empower you with cost-effective techniques for safeguarding your network.

The materials and guides posted on www.senki.org here are designed to help organizations leverage the talent around them to get started with their security activities. Start with the Operator’s Security Toolkit and Meaningful Security Conversations with your Vendors. Each is no-nonsense security for all Operators. It provides details to help them build more security-resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights.

Originally published at https://www.senki.org on August 1, 2024.