Pierluigi Paganini
July 28, 2024
The French authorities, with the help of Europol, have launched on July 18, 2024, a “disinfection operation” to clean hosts infected with the PlugX malware.
Following a report by the cybersecurity firm Sekoia.io, the Paris Public Prosecutor’s Office launched a preliminary investigation into a botnet involving millions of global victims, including thousands of machines in France. According to the French authorities, the botnet was used for espionage purposes. The disinfection solution was provided through Europol to partner countries benefiting as a result of this international operation.
In September 2023, Sekoia researchers successfully sinkholed a C2 server linked to the PlugX malware. They identified and acquired the unique IP address tied to a variant of this worm for $7.
“Almost four years after its initial launch, between ~90,000 to ~100,000 unique public IP addresses are still infected, sending distinctive PlugX requests daily to our sinkhole. We observed in 6 months of sinkholing more than 2,5M unique IPs connecting to it.” reads the report published by Sekoia.
The PlugX malware is a remote access trojan (RAT) that has been used since 2008 by multiple China-linked APT groups, including Mustang Panda, Winnti, and APT41
The RAT uses DLL side-loading to load its own malicious payload malicious DLL when a digitally signed software application, such as the x32dbg debugging tool (x32dbg.exe), is executed.
Attackers achieved persistence by modifying registry entries and creating scheduled tasks to maintain access even when the system is restarted.
Researchers analyzed the cryptography of PlugX’s communications and discovered that they could send disinfection commands to compromised workstations. They outlined two approaches: one that cleans only the workstation and another one that disinfects USB drives. Although the worm can’t be fully eradicated, they offer affected countries a “sovereign disinfection process” to mitigate the infection.
As the time of the report was published, the worm has been observed in over 170 countries globally with more than 2.495.000 unique infections. Around 15 countries account for over 80% of the total infections
Due to potential legal challenges associated with conducting a widespread disinfection campaign, the decision to launch large-scale disinfection is being left to national Computer Emergency Response Teams (CERTs), Law Enforcement Agencies (LEAs), and cybersecurity authorities. The so-called “sovereign disinfection” involves these national bodies receiving data from the researchers’ sinkhole about infections within their jurisdictions. They can then decide whether to start a disinfection, based on their assessment of the situation. This process allows for a tailored response, considering cross-border internet connections and other complexities.
“As stated before, there are limitations to the two discussed methods of remote disinfection. Firstly, the worm has the capability to exist on air-gapped networks, which makes these infections beyond our reach. Secondly, and perhaps more noteworthy, the PlugX worm can reside on infected USB devices for an extended period without being connected to a workstation.” concludes the report. “Therefore, it is impossible to complete remove this worm, by issuing a unique command to all the infected workstations. Consequently, we also strongly recommend that security editors create effective detection rules against this threat on the workstation side to prevent the reuse of this botnet in the future.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
