A self-propagating malware codenamed PlugX worm, has infected about 2.5 million IP addresses across the world with Nigeria being among the heavily-impacted nations, the Nigeria Computer Emergency Response Team (ngCERT) has alerted.
The Nigerian internet police’s recent findings reveal that a USB malware first detected in 2020 remains a significant threat, actively spreading across systems worldwide, ngCERT warned in an advisory.
Over the past six months, ngCERT said it has monitored the malware’s activity, identifying over 100,000 unique IPs that still send daily requests to a control sinkhole, signaling that the botnet is still operational. Remarkably, 15 of the affected countries, including Nigeria, account for 80% of the recorded infections.
PlugX, ngCERT said, operates as a Remote Access Trojan (RAT), enabling attackers to gain unauthorised access, steal sensitive data, and conduct various malicious activities on compromised systems. The malware’s persistence and self-propagating nature raise concerns about its potential use for intelligence gathering on strategic and security matters.
“Once executed from the host,” ngCERT said, “the worm component of this PlugX variant checks every 30 seconds for the connection of a new flash drive to automatically infect. Its self-propagating capability, coupled with its tenacity mechanism enables it to stay active allowing it to control a broad network of compromised computers globally. Despite losing control over the botnet, anyone with interception abilities can still use the compromised hosts for malicious purposes.”
The PlugX worm infection could result in unauthorised system access; privacy invasion; data loss and exfiltration; remote storage of illegal files and possible Denial of Service (DoS) attacks.
ngCERT on how PlugX infects systems
- 1. The worm infects USB drives by adding a Windows shortcut file named after the drive and hides malicious files in a folder named RECYCLER.BIN.
2. It moves legitimate content to a hidden directory named with a non-breaking space character (hexadecimal code: 0xA0).
3. When a user opens the USB device, they see a shortcut that, when clicked, triggers the infection.
4. The malware then copies itself to the host system, establishes persistence through the registry, and re-executes from the host, scanning for new USB drives to infect the entire registry.- PlugX worm: Recommended actions for mitigation:
- 1. Block identified indicators of compromise (IoCs) on all applicable security systems.
- 2. Regularly back up critical data and applications.
- 3. Ensure systems are updated and patched consistently.
- 4. Avoid downloading and running files from untrusted sources.
- 5. Use strong antivirus and anti-malware solutions.
- 6. Secure USB ports and educate users about the dangers of using untrusted USB devices.