Threat Research

Unplugging PlugX: Sinkholing the PlugX USB worm botnet

SekoiaIO

Researchers sinkholed the PlugX USB-worm C2 (45.142.166.112) and observed ~90k–100k unique public IPs beaconing daily, recording millions of connections over months. By reversing PlugX’s RC4-based protocol and using built-in commands (including a self-deletion command), they implemented two remote disinfection approaches (host-only and host+USB) and proposed a sovereign disinfection workflow with CERTs/LEAs. #PlugX #MustangPanda

Keypoints

  • Sinkholed the PlugX C2 IP 45.142.166[.]112 (acquired) and recorded continuous global beaconing from ~90k–100k unique public IPs daily.
  • PlugX worm variant spreads via infected USB drives using LNK shortcuts and DLL side-loading (RECYCLER.BIN and hidden 0xA0 directory), enabling air-gap crossing.
  • Implemented a lightweight sinkhole (Nginx + script + database) to validate PlugX requests using distinctive headers and to geolocate/store telemetry while rate-limiting to handle high beacon volume.
  • Reverse engineering revealed the TCP/HTTP protocol uses a 16-byte encrypted header + compressed/encrypted payload with RC4 (key = hardcoded string + first 4 bytes of header), enabling forging of commands.
  • PlugX supports a self-deletion command (0x1005) and remote payload upload/execution commands (0x1002, 0x3007, 0x300c, etc.), enabling two disinfection methods: lightweight host-only removal and a more intrusive host+USB cleanup.
  • Because USB devices remain infected when PlugX runs from removable media and legal/technical limits exist (air-gapped systems, reinfection), full eradication requires coordinated sovereign disinfection and endpoint detections.

MITRE Techniques

  • [T1574.002] DLL Side-Loading – Used to load the PlugX core by having “a legitimate executable loads a malicious – or patched DLL – which then will map and execute in memory the core component of PlugX, which resides in an encrypted binary blob on the file system” (‘a legitimate executable loads a malicious – or patched DLL – which then will map and execute in memory the core component of PlugX, which resides in an encrypted binary blob on the file system’).
  • [T1091] Replication Through Removable Media – Wormable component infects USB drives “by adding to them a Windows shortcut file taking the name of the infected flash drive, and a DLL side loading triad … inside the drive RECYCLER.BIN” (‘by adding to them a Windows shortcut file taking the name of the infected flash drive, and a DLL side loading triad … inside the drive RECYCLER.BIN’).
  • [T1071.001] Application Layer Protocol: Web Protocols – PlugX uses HTTP/TCP for C2 with characteristic headers and endpoints: “POST /[a-f0-9]{8} … jsp-se: 0 … jsp-sn: 1” (‘POST /[a-f0-9]{8} HTTP/1.1 … jsp-se: 0 … jsp-sn: 1’).
  • [T1547.001] Registry Run Keys/Startup Folder – Persistence is achieved by creating a registry run key: “enables its persistence by creating a new key under HKCU[…]CurrentVersionRun registry Key” (‘enables its persistence by creating a new key under HKCU[…]CurrentVersionRun registry Key’).
  • [T1105] Ingress Tool Transfer – PlugX supports uploading and executing payloads on victims: commands listed include “0x3007, 0x10003008, 0x10003009: upload our payload on the %TEMP% directory” (‘0x3007, 0x10003008, 0x10003009: upload our payload on the %TEMP% directory’).
  • [T1573] Encrypted Channel – Communications use RC4 encryption with a composite key: “RC4 algorithm is used to encrypt both the header and payload with the same key. This key is the concatenation of a hard-coded string … and the first four bytes of the header sent by the C2” (‘RC4 algorithm is used to encrypt both the header and payload with the same key. This key is the concatenation of a hard-coded string … and the first four bytes of the header sent by the C2’).

Indicators of Compromise

  • [File Hashes] PlugX binaries – 432a07eb49473fa8c71d50ccaf2bc980b692d458ec4aaedd52d739cb377f3428, e8f55d0f327fd1d5f26428b890ef7fe878e135d494acda24ef01c695a2e9136d (and 5 more hashes).
  • [IP Addresses] C2 / infrastructure – 45.142.166[.]112 (sinkholed by Sekoia), 103.56.53[.]46 (other known C2 / possible sinkhole), 45.251.240[.]55, 43.254.217[.]165.
  • [Filenames / Paths] Installation and USB artifacts – %userprofile%/AvastSvcpCP/ (persistence location), wsc.dll (DLL component), RECYCLER.BIN and shortcut LNK files on infected USB drives (used for propagation).
  • [Detection Rules] Yara signatures – examples include rule apt_MustangPanda_PlugXWorm_lnk (detects malicious LNK) and apt_MustangPanda_MaliciousDLL_random_exports (detects DLL with random exports) as provided in the article.

The technical remediation workflow began with acquiring and sinkholing the PlugX C2 IP (45.142.166[.]112) and deploying a lightweight front-end (Nginx) that validates incoming requests by matching PlugX-specific URIs and headers, forwards validated client IPs to a backend for geolocation/aggregation, and uses rate-limiting (iptables hashlimit or probabilistic forwarding) to keep beacon load manageable. The PlugX implants beacon over TCP/HTTP (ports 110, 443, 80) with distinguishing headers (jsp-se, jsp-st, jsp-si, jsp-sn), so the sinkhole can reliably identify legitimate implants and record telemetry while avoiding responding to every request to preserve resources.

Reverse engineering of the protocol showed each message comprises an encrypted 16-byte header and a compressed+encrypted payload; both are RC4-encrypted with a key formed by concatenating a hard-coded string (sV!e@T#L$PH%) and the first four bytes of the header. Because the same four-byte suffix can be reused, it is possible to craft encrypted responses—most notably the built-in self-deletion command (0x1005)—and send them as an HTTP response to the initial POST to trigger removal on the host. For USB remediation, the implant supports upload-and-execute commands (0x1002, 0x300e, 0x3007/0x10003008/0x10003009, 0x300c) which permit transferring a cleanup payload to %TEMP% and executing it to attempt restoration of the USB directory structure, but this method requires the USB to be present and is more intrusive.

Operationally, two disinfection approaches were validated: a low-impact host-only deletion using command 0x1005 that removes PlugX from the executing system, and a more invasive host+USB payload sequence that deletes implant artifacts from both the host and plugged flash drive and restores the original directories. Both methods have limits (cannot reach air-gapped infections, USB-resident copies persist unless the USB is present during cleanup, and legal/sovereignty constraints), so the authors propose a “sovereign disinfection” model where national CERTs/LEAs request telemetry and authorize disinfection for specified autonomous systems before any removal commands are executed.

Read more: https://blog.sekoia.io/unplugging-plugx-sinkholing-the-plugx-usb-worm-botnet/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint