Cyber Defense Advisors

French Authorities Launch Operation to Remove PlugX Malware from Infected Systems

French judicial authorities, in collaboration with Europol, have launched a so-called “disinfection operation” to rid compromised hosts of a known malware called PlugX.

The Paris Prosecutor’s Office, Parquet de Paris, said the initiative was launched on July 18 and that it’s expected to continue for “several months.”

It further said around a hundred victims located in France, Malta, Portugal, Croatia, Slovakia, and Austria have already benefited from the cleanup efforts.

The development comes nearly three months after French cybersecurity firm Sekoia disclosed it sinkhole a command-and-control (C2) server linked to the PlugX trojan in September 2023 by spending $7 to acquire the IP address. It also noted that nearly 100,000 unique public IP addresses have been sending PlugX requests daily to the seized domain.

PlugX (aka Korplug) is a remote access trojan (RAT) widely used by China-nexus threat actors since at least 2008, alongside other malware families like Gh0st RAT and ShadowPad.

The malware is typically launched within compromised hosts using DLL side-loading techniques, allowing threat actors to execute arbitrary commands, upload/download files, enumerate files, and harvest sensitive data.

“This backdoor, initially developed by Zhao Jibin (aka. WHG), evolved throughout the time in different variants,” Sekoia said earlier this April. “The PlugX builder was shared between several intrusion sets, most of them attributed to front companies linked to the Chinese Ministry of State Security.”

Over the years, it has also incorporated a wormable component that enables it to be propagated via infected USB drives, effectively bypassing air-gapped networks.

Sekoia, which devised a solution to delete PlugX, said variants of the malware with the USB distribution mechanism come with a self-deletion command (“0x1005”) to remove itself from the compromised workstations, although there is currently no way to remove it from the USB devices itself.

“Firstly, the worm has the capability to exist on air-gapped networks, which makes these infections beyond our reach,” it said. “Secondly, and perhaps more noteworthy, the PlugX worm can reside on infected USB devices for an extended period without being connected to a workstation.”

Given the legal complications involved in remotely wiping the malware off the systems, the company further noted that it’s deferring the decision to national Computer Emergency Response Teams (CERTs), law enforcement agencies (LEAs), and cybersecurity authorities.

“Following a report from Sekoia.io, a disinfection operation was launched by the French judicial authorities to dismantle the botnet controlled by the PlugX worm. PlugX affected several million victims worldwide,” Sekoia told The Hacker News. “A disinfection solution developed by the Sekoia.io TDR team was proposed via Europol to partner countries and is being deployed at this time.”

“We are pleased with the fruitful cooperation with the actors involved in France (section J3 of the Paris Public Prosecutor’s Office, Police, Gendarmerie and ANSSI) and internationally (Europol and police forces of third countries) to take action against long-lasting malicious cyber activities.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.