French judicial authorities, in collaboration with Europol, have launched a significant operation to remove the notorious PlugX malware from compromised systems. The initiative, which began on July 18, 2024, is expected to last several months and aims to clean infected devices in multiple countries, including France, Malta, Portugal, Croatia, Slovakia, and Austria.
Key Takeaways
French authorities, with Europol, have initiated a disinfection operation against PlugX malware.
The operation targets infected systems in several European countries.
The initiative follows the sinkholing of a PlugX command-and-control server by cybersecurity firm Sekoia.
The malware, used by Chinese threat actors, has infected millions of devices globally.
Background on PlugX Malware
PlugX, also known as Korplug, is a remote access trojan (RAT) that has been in use since at least 2008. It is primarily associated with Chinese threat actors and is known for its ability to execute arbitrary commands, upload and download files, enumerate files, and harvest sensitive data. The malware is typically deployed using DLL side-loading techniques and has evolved to include a wormable component that allows it to spread via infected USB drives.
The Disinfection Operation
The Paris Prosecutor's Office, Parquet de Paris, announced the operation, which aims to rid compromised hosts of PlugX. The operation is being conducted by the Center for the Fight Against Digital Crime (C3N) of the National Gendarmerie, with assistance from Sekoia. Sekoia had previously sinkholed a command-and-control server for a widely distributed PlugX variant, which had been abandoned by its original operator but continued to spread independently.
Technical Details
Sekoia's solution involves pushing a custom PlugX plugin to infected devices, which issues a self-deletion command to remove the malware. The firm also proposed a method to scan connected USB flash drives for the malware, although this approach carries the risk of damaging the media and preventing access to legitimate files.
Legal and Operational Challenges
Given the potential legal challenges of remotely wiping malware from systems, Sekoia deferred the decision to national Computer Emergency Response Teams (CERTs), law enforcement agencies, and cybersecurity authorities. The operation has received support from various international partners, including Europol and police forces from multiple countries.
Impact and Future Steps
The disinfection operation is expected to continue for several months, possibly concluding by late 2024. The National Agency for the Security of Information Systems (ANSSI) will notify victims in France about the clean-up process. With the Paris 2024 Olympic Games approaching, French authorities are on high alert to mitigate any cybersecurity risks.
Recommendations for Users
Be cautious when using USB drives, especially in public places like printing shops.
Scan USB devices before connecting them to systems with sensitive data.
Stay informed about updates from cybersecurity authorities regarding the disinfection operation.
Learn how the team at Betterworld Technology can help protect you from cyber-threats by booking a consultation with our experts now, together we can find the best solutions and systems to implement and help your organization run smoothly and efficiently.
Sources
French Authorities Launch Operation to Remove PlugX Malware from Infected Systems, The Hacker News.
French police push PlugX malware self-destruct payload to clean PCs, BleepingComputer.