PlugX
PlugX is a sophisticated modular remote access trojan (RAT) used for over a decade in targeted attacks, primarily by China-linked APT groups, giving attackers full control of infected systems while evading detection.
It is a remote access tool (RAT) that allows attackers to gain full control over an infected system.
The PlugX malware is known for its modular design, which allows it to be easily customized and adapted for different attack scenarios. It can be used to steal sensitive data, monitor user activity, and even execute arbitrary code on the compromised system.
It has been linked to advanced persistent threat (APT) groups, particularly those believed to be operating out of China. It has been used in attacks targeting a wide range of organizations, including government agencies, military institutions, and private companies.
One of the key features of PlugX is its ability to evade detection by security solutions. It uses various techniques to hide its presence on the infected system, making it difficult for traditional antivirus software to identify and remove.
In March 2023, Sophos published a blog post highlighting a variant of PlugX with worming capabilities. Based on this research, our CTI team decided to acquire the unique IP address linked to a variant of this worm with a clear goal: to create a sinkhole to collect telemetry data from infected workstations and the inner workings of PlugX's communications cryptography.
By studying the cryptography of PlugX's communications, we discovered that it was possible to send sanitization commands to compromised workstations.
- - If you'd like to learn more about this, check out this article
- - You can also see the replay of PlugX conference by our researchers: Unplugging PlugX Sinkholing the PlugX USB worm botnet - Félix Aimé and Charles Meslay.
.
