French judicial authorities, in conjunction with Europol, have initiated a joint operation dubbed “Disinfection” aimed at cleansing infected computers of the notorious PlugX malware.
The Parisian Prosecution Office, known as the Parquet de Paris, initiated its effort on July 18, with a timeframe extending over several months.
Approximately one hundred individuals residing in France, Malta, Portugal, Croatia, Slovakia, and Austria have thus far derived benefits from the thorough cleanup initiatives undertaken.
Three months following, an event takes place that marks a significant milestone in the ongoing battle against cyber threats. In September 2023, France’s Sekoia cybersecurity agency made headlines when it successfully took down a command-and-control (C2) server linked to the notorious PlugX trojan by simply spending $7 on an IP address. It is widely acknowledged that approximately 100,000 unique public IP addresses are daily sending PlugX requests to the compromised zone.
PlugX, also known as Korplug, is a distant-entry Trojan (RAT) with a history of use by China-nexus threat actors dating back to at least 2008, often employed in conjunction with other malicious software families.
The malware typically initiates its malicious activity within compromised systems by exploiting DLL side-loading tactics, thereby enabling attackers to execute custom commands, gather or steal sensitive data, and collect system intelligence.
“This backdoor, originally created by Zhao Jibin, also known as…” The open-source Web Hypertext Application Runtime (WHG), which has undergone numerous variations throughout its development history, was first introduced by Sekoia in April of this year. “The PlugX malware’s development was reportedly shared among various intrusion groups, primarily tied to Chinese cybercrime organizations allegedly affiliated with the Ministry of State Security.”
As the technology evolved, it also developed a wormable component, allowing it to be disseminated efficiently and effectively through air-gapped networks while bypassing traditional security measures.
Sekoia, which developed an answer to neutralize PlugX, pointed out that variants of the malware utilize a USB distribution mechanism featuring a self-deletion command (“0x1005”) designed to eliminate the threat from compromised workstations; however, there currently exists no method to erase it from the affected USB devices themselves.
The worm’s ability to thrive on air-gapped networks renders these infections insidious and difficult to contain, exceeding the bounds of current security measures. The PlugX worm can persistently infect compromised USB devices, remaining dormant until reactivated when connected to a host computer.
The company has announced that due to the complexity of remotely wiping malware from devices, they are deferring decision-making authority to national Cyber Emergency Response Teams (CERTs), law enforcement agencies (LEAs), and relevant cybersecurity authorities.
French judicial authorities initiated a disinfection operation in response to a report from Sekoia.io, targeting the botnet controlled by the notorious PlugX worm. The PlugX malware is reported to have impacted millions of people globally, according to Sekoia’s findings shared with The Hacker Information. “A disinfection solution developed by Sekoia.io’s TDR team has been proposed by Europol for global adoption and is currently being rolled out worldwide.”
“We are pleased with the productive collaboration we have enjoyed with key stakeholders in France – including the Paris Public Prosecutor’s Office, Police, Gendarmerie, and ANSSI – as well as our international partners, Europol and law enforcement agencies from third countries, to take decisive action against persistent malicious cyber threats.”
