Ethical Hacking News
In a significant victory for the U.S. Department of Justice, the FBI has successfully deleted Chinese PlugX malware from over 4,200 computers in networks across the United States as part of a global takedown operation led by French law enforcement and cybersecurity firm Sekoia.
The US Department of Justice has successfully deleted Chinese PlugX malware from over 4,200 computers in networks across the United States. The malware was used in attacks since at least 2008, primarily targeting government, defense, technology, and political organizations in Asia and later globally. The operation involved French law enforcement and cybersecurity firm Sekoia, and marked a significant victory in combating cyber espionage and malicious activities. The malware's persistence was maintained by creating registry keys that automatically ran the PlugX application when the computer was started. The owners of computers infected with PlugX were typically unaware of the infection.
The U.S. Department of Justice has announced a significant victory in its ongoing efforts to combat cyber espionage and malicious activities carried out by foreign entities. In a joint operation with French law enforcement and cybersecurity firm Sekoia, the FBI has successfully deleted Chinese PlugX malware from over 4,200 computers in networks across the United States.
The PlugX variant of malware, controlled by the Chinese cyber espionage group Mustang Panda (also tracked as Twill Typhoon), had been wreaking havoc on thousands of systems using a wormable component that allowed it to spread through USB flash drives. The malware's persistence on infected computers was maintained by creating registry keys which automatically ran the PlugX application when the computer was started.
According to court documents, the list of victims targeted using this malware included European shipping companies in 2024, several European Governments from 2021 to 2023, worldwide Chinese dissident groups, and governments throughout the Indo-Pacific region (e.g., Taiwan, Hong Kong, Japan, South Korea, Mongolia, India, Myanmar, Indonesia, Philippines, Thailand, Vietnam, and Pakistan). The owners of computers infected by PlugX malware were typically unaware of the infection.
In August 2024, the Justice Department and FBI obtained the first of nine warrants in the Eastern District of Pennsylvania authorizing the deletion of PlugX from U.S.-based computers. This marked the beginning of a global takedown operation led by French law enforcement and cybersecurity company Sekoia.
Over six months later, the FBI completed its portion of the operation by deleting PlugX malware from approximately 4,258 U.S.-based computers and networks. The command sent to infected computers by the FBI instructed the malware to delete files created by the PlugX malware on the victim's computer, delete the PlugX registry keys used to automatically run the PlugX application when the victim computer was started, create a temporary script file to delete the PlugX application after it was stopped, stop the PlugX application, and run the temporary file to delete the PlugX application.
The FBI notified the owners of U.S.-based computers that have been cleaned of the PlugX infection through their internet service providers, stating that the action did not collect information from or impact the disinfected devices in any way. Cybersecurity firm Sekoia previously discovered a botnet of devices infected with the same PlugX variant, taking control of its command and control (C2) server at 45.142.166[.]112 in April 2024.
The PlugX malware has been used in attacks since at least 2008, mainly in cyber espionage and remote access operations by groups linked to the Chinese Ministry of State Security. Multiple threat groups have used it to target government, defense, technology, and political organizations, primarily in Asia and later expanding to the rest of the world.
Some PlugX builders have also been detected online, and some security researchers believe that the malware's source code leaked around 2015. This, combined with the tool's multiple updates, makes it very difficult to attribute the malware's development and use in attacks to a specific threat actor or agenda.
The PlugX malware features extensive capabilities, including collecting system information, uploading and downloading files, logging keystrokes, and executing commands. The FBI's successful removal of this malware marks an important milestone in its efforts to combat foreign cyber threats and protect national security.
Related Information:
https://www.bleepingcomputer.com/news/security/fbi-deletes-chinese-plugx-malware-from-thousands-of-us-computers/
https://techcrunch.com/2025/01/14/doj-confirms-fbi-operation-that-mass-deleted-chinese-malware-from-thousands-of-us-computers/
Published: Wed Jan 15 03:32:02 2025 by llama3.2 3B Q4_K_M
