top of page
Writer's pictureJohn Jordan

French Authorities Initiate Major Operation to Eradicate PlugX Malware from Infected Systems

French judicial authorities, in collaboration with Europol, have launched a significant operation to remove the notorious PlugX malware from compromised systems. The initiative, which began on July 18, 2024, is expected to last several months and aims to clean infected devices in multiple countries, including France, Malta, Portugal, Croatia, Slovakia, and Austria.

Key Takeaways

  • French authorities, with Europol, have initiated a disinfection operation against PlugX malware.

  • The operation targets infected systems in several European countries.

  • The initiative follows the sinkholing of a PlugX command-and-control server by cybersecurity firm Sekoia.

  • The malware, used by Chinese threat actors, has infected millions of devices globally.

Background on PlugX Malware

PlugX, also known as Korplug, is a remote access trojan (RAT) that has been in use since at least 2008. It is primarily associated with Chinese threat actors and is known for its ability to execute arbitrary commands, upload and download files, enumerate files, and harvest sensitive data. The malware is typically deployed using DLL side-loading techniques and has evolved to include a wormable component that allows it to spread via infected USB drives.

The Disinfection Operation

The Paris Prosecutor's Office, Parquet de Paris, announced the operation, which aims to rid compromised hosts of PlugX. The operation is being conducted by the Center for the Fight Against Digital Crime (C3N) of the National Gendarmerie, with assistance from Sekoia. Sekoia had previously sinkholed a command-and-control server for a widely distributed PlugX variant, which had been abandoned by its original operator but continued to spread independently.

Technical Details

Sekoia's solution involves pushing a custom PlugX plugin to infected devices, which issues a self-deletion command to remove the malware. The firm also proposed a method to scan connected USB flash drives for the malware, although this approach carries the risk of damaging the media and preventing access to legitimate files.

Legal and Operational Challenges

Given the potential legal challenges of remotely wiping malware from systems, Sekoia deferred the decision to national Computer Emergency Response Teams (CERTs), law enforcement agencies, and cybersecurity authorities. The operation has received support from various international partners, including Europol and police forces from multiple countries.

Impact and Future Steps

The disinfection operation is expected to continue for several months, possibly concluding by late 2024. The National Agency for the Security of Information Systems (ANSSI) will notify victims in France about the clean-up process. With the Paris 2024 Olympic Games approaching, French authorities are on high alert to mitigate any cybersecurity risks.

Recommendations for Users

  • Be cautious when using USB drives, especially in public places like printing shops.

  • Scan USB devices before connecting them to systems with sensitive data.

  • Stay informed about updates from cybersecurity authorities regarding the disinfection operation.

Learn how the team at Betterworld Technology can help protect you from cyber-threats by booking a consultation with our experts now, together we can find the best solutions and systems to implement and help your organization run smoothly and efficiently.

Sources

4 views
bottom of page