The US Department of Justice (DoJ) announced on Tuesday that a court-sanctioned operation allowed the Federal Bureau of Investigation (FBI) to remove the PlugX malware from more than 4,250 infected computers as part of a “month-long law enforcement operation.”
PlugX, also known as Korplug, is a Remote Access Trojan (RAT) widely used by threat actors associated with the People’s Republic of China (PRC) that enables information theft and remote control of compromised devices.
An affidavit The FBI filing notes that the identified PlugX variant is linked to a state-sponsored hacking group called Mustang Pandaalso called BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, TA416 and Twill Typhoon.
“Since at least 2014, Mustang Panda hackers have penetrated thousands of computer systems at companies targeting victims in the US, as well as European and Asian governments and businesses, as well as Chinese dissident groups,” the Justice Department said. said.
Some of the other targets of the threat campaigns include Taiwan, Hong Kong, Japan, South Korea, Mongolia, India, Myanmar, Indonesia, Philippines, Thailand, Vietnam and Pakistan.
The failure is part of a larger “disinfection” effort that began in late July 2024 to rid compromised systems of the PlugX malware. The details of the activity were previously common The Paris prosecutor’s office and the cyber security firm Sekoia.
As previously detailed by Sekoia, this particular variant of PlugX is known to spread to other systems via connected USB devices. Once installed, the malware is directed to a server controlled by the attacker (“45.142.166(.)112”) to wait for further commands to collect data from the host.
At the end of April 2024, the company also revealed he spent just $7 to isolate a server available at the IP address in question, thereby opening up the possibility of issuing a self-remove command to remove malware from infected machines.
The team followed the steps listed below –
- Delete the files created by the PlugX malware on the victim computer
- Remove the PlugX registry keys used to automatically launch the PlugX application when the victim computer is started
- Create a temporary script file to remove the PlugX application after it is terminated
- Stop the PlugX application
- Run the temporary file to remove the PlugX application, delete the directory created on the victim computer by the PlugX malware to store PlugX files, and delete the temporary file from the victim computer
The FBI said the self-delete command does not affect any legitimate functions or files on the target devices located in the US, and does not transmit any other data from them.
Last month, Sekoia said 59,475 disinfection payloads targeting 5,539 IP addresses were issued as part of the legal framework created to run the PlugX disinfection process for 10 countries.
“This massive breach and continued infection of thousands of Windows computers, including many home computers in the United States, demonstrates the recklessness and aggressiveness of state-sponsored hackers in the PRC,” said Assistant Attorney General Matthew G. Olsen from the Ministry of Justice N
