French Officials Commence Initiative to Eradicate PlugX Malware from Compromised Systems
Judicial authorities in France, in partnership with Europol, have initiated a “purging operation” to eliminate the PlugX malware infection from compromised systems.
The Paris Public Prosecutor’s Office, Parquet de Paris, stated that the operation was activated on July 18 and is anticipated to extend over a span of “several months.”
It was also mentioned that approximately a hundred affected entities based in France, Malta, Portugal, Croatia, Slovakia, and Austria have already been subject to the cleansing process.
This development follows almost ninety days after the disclosure by French cybersecurity company Sekoia that it successfully gained control over a command-and-control (C2) server associated with the PlugX trojan in September 2023 by investing $7 to acquire the IP address. The company also highlighted that nearly 100,000 distinct public IP addresses have been making PlugX requests daily to the seized domain.
PlugX, also known as Korplug, functions as a remote access trojan (RAT) that has been widely utilized by threat actors associated with China since at least the year 2008, along with other malware variants like Gh0st RAT and ShadowPad.
The infection is typically introduced into compromised systems using DLL side-loading techniques, enabling malicious actors to execute arbitrary commands, transfer files, list files, and collect confidential information.
“This illicit access tool, initially crafted by Zhao Jibin (aka. WHG), progressed through different versions over time,” Sekoia mentioned earlier this month. “The PlugX creator was shared among several different intrusion sets, most of which have ties to front entities linked to the Chinese Ministry of State Security.”
Over time, it has also integrated a self-replicating feature that enables it to spread via compromised USB drives, effectively circumventing isolated networks.
Sekoia, which devised a solution to eradicate PlugX, reported that malware variants with USB distribution capabilities include a self-elimination command (“0x1005”) to uninstall itself from the compromised workstations, although removal from the USB devices themselves remains unfeasible at present.
“Primarily, the worm has the ability to persist within isolated networks, making these infections beyond our control,” it remarked. “Secondly, and possibly more significantly, the PlugX worm can survive on infected USB devices for an extended period without being linked to a workstation.”
Considering the legal complexities associated with remotely purging the malware from systems, the company indicated that the decision-making responsibility has been shifted to national Computer Emergency Response Teams (CERTs), law enforcement entities (LEAs), and cybersecurity agencies.
“Following a report from Sekoia.io, a purification operation was instigated by the French judicial authorities to dismantle the botnet managed by the PlugX worm. PlugX impacted several million victims globally,” Sekoia informed The Hacker News. “A cleansing solution engineered by the Sekoia.io TDR team was suggested via Europol to collaborating nations and is currently in the deployment phase.”
“We are content with the productive collaboration with the stakeholders in France (branch J3 of the Paris Public Prosecutor’s Office, Police, Gendarmerie, and ANSSI) and on a global scale (Europol and police units of other countries) to counter prolonged malicious cyber activities.”
About Author
