French judicial authorities, in cooperation with Europol, launched a so-called “disinfection operation” to rid compromised hosts of a known malware called PlugX.
Paris Prosecutor’s Office, Parquet de Paris, said the initiative was launched on July 18 and is expected to continue for “several months.”
It goes on to say that around a hundred victims in France, Malta, Portugal, Croatia, Slovakia and Austria have already benefited from clean-up efforts.
The development comes nearly three months after French cybersecurity firm Sekoia opened in September 2023, he took down the command and control (C2) server associated with the PlugX Trojan, spending $7 to obtain an IP address. It is also noted that nearly 100,000 unique public IP addresses send PlugX requests to the hijacked domain every day.
PlugX (aka Korplug) is a Remote Access Trojan (RAT) that has been widely used by China-nexus threat actors since at least 2008 along with other malware families such as Gh0st RAT and ShadowPad.
The malware is typically launched on compromised hosts using DLL sideloading techniques, allowing threat actors to execute arbitrary commands, upload/download files, list files, and collect sensitive data.
“Originally developed by Zhao Jibin (aka WHG), this backdoor has evolved throughout time in various variants” — Sekoya said at the beginning of April this year. “The PlugX builder has been split between several intrusion kits, most of which have been attributed to shell companies linked to China’s Ministry of State Security.”
Over the years, this has also happened incorporated worm component that allows it to spread through infected USB driveseffectively bypassing air-gapped networks.
Sekoia, which developed the PlugX removal solution, said variants of the malware with a USB distribution mechanism come with a self-delete command (“0x1005”) to remove itself from compromised workstations, although there is currently no way to remove it from the USB device itself .
“First, the worm has the ability to exist in air-gapped networks, making these infections beyond our reach,” it said. “Second, and perhaps even more noteworthy, the PlugX worm can reside on infected USB devices for extended periods of time without being connected to a workstation.”
Given the legal complexities involved in remotely removing malware from systems, the company also said it was deferring the decision to national computer emergency response teams (CERTs), law enforcement agencies (LEAs) and cybersecurity agencies.
“Following the report from Sekoia.io, the French judicial authorities launched a disinfection operation to dismantle the botnet controlled by the PlugX worm. PlugX affected several million victims worldwide,” Sekoia told The Hacker News. “The disinfection solution developed by the Sekoia.io TDR team has been offered through Europol to partner countries and is currently being rolled out.”
“We are happy to cooperate fruitfully with the actors involved in France (Department J3 of the Paris Prosecutor’s Office, the police, the gendarmerie and ANSSI) and internationally (Europol and police forces of third countries) to take action against the ongoing malicious cyber. activity”.
