Security News > 2024 > July > French Authorities Launch Operation to Remove PlugX Malware from Infected Systems

French judicial authorities, in collaboration with Europol, have launched a so-called "Disinfection operation" to rid compromised hosts of a known malware called PlugX. The Paris Prosecutor's Office, Parquet de Paris, said the initiative was launched on July 18 and that it's expected to continue for "Several months."

The development comes nearly three months after French cybersecurity firm Sekoia disclosed it sinkhole a command-and-control server linked to the PlugX trojan in September 2023 by spending $7 to acquire the IP address.

PlugX is a remote access trojan widely used by China-nexus threat actors since at least 2008, alongside other malware families like Gh0st RAT and ShadowPad. The malware is typically launched within compromised hosts using DLL side-loading techniques, allowing threat actors to execute arbitrary commands, upload/download files, enumerate files, and harvest sensitive data.

Sekoia, which devised a solution to delete PlugX, said variants of the malware with the USB distribution mechanism come with a self-deletion command to remove itself from the compromised workstations, although there is currently no way to remove it from the USB devices itself.

"Secondly, and perhaps more noteworthy, the PlugX worm can reside on infected USB devices for an extended period without being connected to a workstation."

"Following a report from Sekoia.io, a disinfection operation was launched by the French judicial authorities to dismantle the botnet controlled by the PlugX worm. PlugX affected several million victims worldwide," Sekoia told The Hacker News.

News URL

https://thehackernews.com/2024/07/french-authorities-launch-operation-to.html