Hackers can use the PlugX USB worm to steal data from various countries

Cybersecurity experts might leave it alone or make it self-destruct

Reading time icon 3 min. read


Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

An image of the PlugX USB worm generated by the AI

The PlugX USB worm is malware that can infect various devices when it connects to them through their USB ports. It doesn’t need any end-user interaction to work. In addition, it can self-replicate and spread to new USB devices automatically. On top of that, its original creators abandoned it, and its botnet is dead. However, according to Sophos researchers, anyone could use it to send commands or repurpose it for malicious activities. Yet, they would need to have access to its server.

After thorough research, Sekoia researchers discovered that their server receives between 90,000 and 100,000 distinctive PlugX requests daily from unique IP addresses. So, they concluded that the malware spread to millions of devices.

Who uses the PlugX USB worm?

The first version of the PlugX malware appeared in 2008. Back then, Chinese threat actors used it in a campaign against government-related users and an organization from Japan. Afterward, the virus mainly stayed in Asia until 2012, but then it spread to other parts of the world. Yet, various companies changed the PlugX malware and developed new versions, such as the worm. Also, most cybercriminals have ties with the Chinese Ministry of State Security.

The PlugX USB worm allows hackers to steal data, perform remote commands, upload and download files, and execute programs on the device. To install it, they used the DLL Side-Loading technique. Through it, the virus could infiltrate a system by hiding inside a DLL file.

How can we get rid of the PlugX malware?

There aren’t too many options to get rid of the PlugX USB worm. However, it has a built-in self-delete feature. Yet, the self-destruction option might result in legitimate data loss. On top of that, there is a risk of reinfection since disinfection might not reach all affected devices.

Fortunately, the Sekoia team took action and proposed to Law Enforcement Agencies and national Computer Emergency Response Teams to remove the PlugX USB worm remotely. Additionally, they record the information to keep track of the virus. In addition, the researchers will use their removal payloads and commands on the requests from the systems marked for disinfection to speed up the process.

Ultimately, cybersecurity experts from different countries will decide how to deal with the PlugX USB worm. After all, none of the existing methods represents is free of risks. Thus, it might be hard to figure out what to do. Also, since the PlugX USB malware might exist on external devices that won’t take part in disinfection, the virus might resurface in a while. Also, another version of the malware could infect devices in its absence.

What are your thoughts? What should experts do? Let us know in the comments.

More about the topics: Cybersecurity, security threats

User forum

0 messages