July 27, 2024Newsroom Malware/Cyber Intelligence
French law enforcement officials, working with Europol, have launched a so-called “cleanup operation” to remove hosts infected with a known piece of malware called PlugX.
The Paris prosecutor’s office said the effort was launched on July 18 and is expected to continue for “several months.”
He added that around 100 victims in France, Malta, Portugal, Croatia, Slovakia and Austria have already benefited from the cleanup efforts.
The development comes roughly three months after French cybersecurity firm Sequoia revealed that it spent $7 in September 2023 to take down command-and-control (C2) servers linked to the PlugX Trojan by acquiring their IP addresses. The firm also noted that roughly 100,000 unique public IP addresses were sending PlugX requests to the seized domains every day.
PlugX (aka Korplug) is a remote access trojan (RAT) that has been widely used by China-linked threat actors since at least 2008, along with other malware families such as Gh0st RAT and ShadowPad.
Malware is typically launched within a compromised host using DLL side-loading techniques, allowing threat actors to execute arbitrary commands, upload/download files, enumerate files, and collect sensitive data.
“The backdoor was originally developed by Zhao Jibin (aka WHG) and evolved into different variants over time,” Sequoia said in early April. “The PlugX builder was shared across multiple intrusion sets, most of which were from front companies with ties to China’s Ministry of State Security.”
Over the years, it has also incorporated a wormable component, allowing it to spread via infected USB drives and effectively circumvent air-gapped networks.
According to Sekoia, which has devised a solution to remove PlugX, the malware variant with the USB delivery mechanism comes with a self-removal command (“0x1005”) to remove itself from a compromised workstation, but there is currently no way to remove it from the USB device itself.
“First, the worm’s ability to exist on isolated networks puts these infections out of our reach,” the company said. “Second, and perhaps more notable, the PlugX worm can persist on infected USB devices for long periods of time, even when they are not connected to a workstation.”
The company further said that given the legal complexities involved in remotely wiping malware from systems, it was leaving the decision to national Computer Emergency Response Teams (CERTs), Law Enforcement Agencies (LEAs) and cybersecurity authorities.
“Following a report from Sekoia.io, French law enforcement authorities launched a takedown operation to dismantle the botnet controlled by the PlugX worm, which affected millions of victims worldwide,” Sekoia told The Hacker News. “The takedown solution developed by the Sekoia.io TDR team has been proposed to partner countries through Europol and is currently being deployed.”
“We are pleased to have had fruitful cooperation with national (J3 Section of the Paris Prosecutor’s Office, police, gendarmerie, ANSSI) and international (Europol and third country police) actors in combating long-term malicious cyber operations.”
Did you find this article interesting? Follow us Twitter: To read more exclusive content we post, check us out on LinkedIn.
Source link
