Law enforcement action deletes PlugX malware from thousands of machines – CyberScoop
U.S. and international law enforcement agencies have removed the PlugX malware from thousands of computers worldwide in a coordinated campaign to blunt the effectiveness of one of the most infamous pieces of malware used by malicious cyber actors.
According to recently unsealed court documents from the Eastern District of Pennsylvania, the U.S. Department of Justice worked alongside international partners, including French law enforcement and the cybersecurity firm Sekoia.io, to dismantle a network that deployed PlugX — a remote access trojan (RAT) — targeting U.S. victims, as well as European and Asian governments and businesses, and Chinese dissident groups.
The DOJ pins the malware network’s operations to a collective of hackers reportedly sponsored by the People’s Republic of China (PRC). The group, known as “Mustang Panda” or “Twill Typhoon,” has been implicated in numerous cyberattacks since 2014.
The takedown operation, which spanned several months, was facilitated by a series of court-authorized warrants allowing for the elimination of PlugX from approximately 4,258 U.S.-based computers and networks. Additionally, the French Gendarmerie Cyber Unit C3N and the Paris prosecutor’s office initiated a similar investigation, identifying a botnet of several million infected devices. Both operations were aided by French cybersecurity company Sekoia, which developed a tool to detect and remove the malware.
“Leveraging our partnership with French law enforcement, the FBI acted to protect U.S. computers from further compromise by PRC state-sponsored hackers,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “Today’s announcement reaffirms the FBI’s dedication to protecting the American people by using its full range of legal authorities and technical expertise to counter nation-state cyber threats.”
PlugX is categorized as a Remote Access Trojan (RAT) and has been active since 2008, serving as a sophisticated backdoor to compromised systems. This malware allows attackers to exert full control over an infected machine, enabling them to execute arbitrary commands remotely. It is associated with several threat actors or groups often linked to advanced persistent threats (APTs), such as APT22, APT26, and APT31, which are thought to operate under or in coordination with state-sponsored campaigns.
PlugX possesses an array of advanced capabilities that make it a formidable tool in cyber espionage and criminal activities. The malware can covertly gather critical information by executing commands to retrieve system data, capture screen images, simulate keyboard and mouse activities, and log keystrokes. Additionally, it allows attackers to exert control over the system’s processes and services, manage Windows registry entries, and open a command shell, providing extensive operational control to the infiltrating party. Such functionalities make PlugX capable of conducting comprehensive surveillance and data theft without attracting attention, further complicating efforts to effectively detect and mitigate its presence.
A PlugX variant was used by attackers in the 2015 Office of Personnel Management breach, allowing them to move through OPM’s systems, as well as compress and exfiltrate data. Cybercriminals have also used PlugX variants in ransomware attacks.
Assistant Attorney General Matthew Olsen highlighted the importance of disrupting cyber threats proactively, remarking how this effort parallels recent actions against other Chinese and Russian hacking groups.
“This operation, like other recent technical operations against Chinese and Russian hacking groups like Volt Typhoon, Flax Typhoon, and APT28, has depended on strong partnerships to successfully counter malicious cyber activity,” Olsen said in a release. “I commend partners in the French government and private sector for spearheading this international operation to defend global cybersecurity.”
You can read the full affidavit on the department’s website.
The post Law enforcement action deletes PlugX malware from thousands of machines appeared first on CyberScoop.
–
Read More – CyberScoop
