Abstract
The PlugX malware has been used in espionage operations by groups linked to the Chinese government since at least 2008. The malware was initially developed to target government and military organizations in Asian countries and subsequently in Western countries. Some researchers believe that its source code was leaked in 2015, leading to further updates by various groups. PlugX often executes on a victim's machine via DLL side-loading. In this technique, a legitimate executable loads a malicious DLL, causing the main malware component, which resides in an encrypted binary file, to be mapped into memory and then executed. In 2020, to enhance PlugX's capabilities, a new component was added that infects various devices connected via USB ports to an already infected machine. This new version, known as PlugX USB, can be considered both a Remote Access Trojan (RAT) and a Worm, as it not only provides remote access to the victim machine but also automatically replicates and spreads to new USB devices. In March 2023, the cybersecurity firm Sophos reported that all PlugX samples were communicating with a Command and Control (C&C) server at 45.142.166.112 (hosted by GreenCloud). By September 2023, the cybersecurity firm Sekoia, after requesting it from GreenCloud, acquired the IP, set up a mock C&C server, and observed that daily, between 90,000 and 100,000 infected hosts with unique IP addresses from over 170 countries were sending requests to this server, revealing the malware’s extensive global reach.
...
Full Version