French judicial authorities, in collaboration with Europol, have launched a so-called “disinfection operation” to rid compromised hosts of a known malware called PlugX.
The Paris Prosecutor’s Office, Parquet de Paris, stated that the initiative was launched on July 18 and is expected to continue for “several months.”
They further mentioned that approximately a hundred victims in France, Malta, Portugal, Croatia, Slovakia, and Austria have already received assistance from the cleanup efforts.
This development comes after French cybersecurity firm Sekoia revealed that they sinkholed a command-and-control (C2) server related to the PlugX trojan in September 2023 by spending $7 on acquiring the IP address. It was also noted that almost 100,000 unique public IP addresses were sending PlugX requests daily to the seized domain.
PlugX (aka Korplug) is a remote access trojan (RAT) frequently used by China-nexus threat actors since 2008, along with other malware families like Gh0st RAT and ShadowPad.
This malware is typically deployed within compromised hosts using DLL side-loading techniques, allowing threat actors to execute various commands, upload/download files, enumerate files, and gather sensitive data.
“Initially developed by Zhao Jibin (aka. WHG), this backdoor has evolved over time in different variants,” Sekoia explained earlier this April. “The PlugX builder was shared among several intrusion sets, most of them attributed to front companies linked to the Chinese Ministry of State Security.”
Over time, it has also integrated a wormable component that allows it to spread via infected USB drives, thereby bypassing air-gapped networks effectively.
Sekoia, who developed a solution to eradicate PlugX, mentioned that versions of the malware with the USB distribution mechanism include a self-deletion command (“0x1005”) to remove itself from compromised workstations, although removing it from the USB devices remains a challenge.
“The worm can survive on air-gapped networks, making these infections inaccessible to us,” they stated. “Moreover, the PlugX worm can persist on infected USB devices for an extended period without connecting to a workstation.”
Due to the legal complexities of remotely removing the malware from systems, Sekoia indicated that the decision has been passed to national Computer Emergency Response Teams (CERTs), law enforcement agencies (LEAs), and cybersecurity authorities.
Sekoia informed The Hacker News, “Following a report from Sekoia.io, a disinfection operation was initiated by the French judicial authorities to dismantle the botnet controlled by the PlugX worm. PlugX impacted millions of victims worldwide. A disinfection solution created by the Sekoia.io TDR team was proposed through Europol to partner countries and is currently being implemented.”
“We are pleased with the productive collaboration with stakeholders in France (section J3 of the Paris Public Prosecutor’s Office, Police, Gendarmerie, and ANSSI) and internationally (Europol and police forces of third countries) to combat persistent malicious cyber activities.”
