Fraud Alert: How They Killed PlugX Malware!
While dealing with any sudden incident, almost all government authorities in India come up with knee-jerk reactions. Most of the time, their response is not just vague but provides no solution to the incident or issue. Take, for example, the ban on some Chinese apps to 'teach' a lesson to that country. A ban is never a solution to any issue. When the government ordered a ban on Chinese apps from the Google Play Store and Apple Store, hundreds of portals provided installation files for these same apps that were banned in India. 
 
When it comes to more serious security issues on the internet, the Indian Computer Emergency Response Team (CERT-In) is doing a good job. However, CERT-In is not a law enforcement agency (LEA) and, hence, its action is not as effective as it should have been in the first place.
 
In this context, it is indeed, praiseworthy how LEAs and CERTs from several European countries and the US department of justice (DoJ) and the federal bureau of investigation (FBI) took down PlugX malware, which was created and spread to infect, control and steal information from victim computers by hackers sponsored by the People's Republic of China (PRC). These hackers are known to the private sector as 'Mustang Panda' and 'Twill Typhoon'.
 
Citing court documents, in a release, the DoJ says the PRC government paid the Mustang Panda group to, among other computer intrusion services, develop this specific version of PlugX. Since at least 2014, Mustang Panda hackers have infiltrated thousands of computer systems in campaigns targeting US victims, as well as European and Asian governments and businesses, and Chinese dissident groups. 
 
DoJ and FBI conducted a multi-month law enforcement operation that, alongside international partners, deleted 'PlugX' malware from thousands of infected computers worldwide. 
 
The international operation was led by French law enforcement and Sekoia.io. This France-based private cybersecurity company identified and reported on the capability to send commands to delete the PlugX version from infected devices. 
 
Working with these partners, FBI tested the commands, confirmed its effectiveness and determined that it did not otherwise impact the legitimate functions of or collect content information from infected computers. 
 
In August 2024, the DoJ and FBI obtained the first of nine warrants in the eastern district of Pennsylvania authorising the deletion of PlugX from US-based computers. The last of these warrants expired on 3 January 2025, concluding the US portions of the operation. This court-authorised operation deleted PlugX malware from about 4,258 US-based computers and networks, DoJ says in the statement.
 
According to FBI, at least 45,000 internet protocol (IP) addresses in the US have had back-and-forths with the command-and-control (C&C) server since September 2023. It was the same C&C server that allowed the LEAs and CERTs to kill PlugX. 
 
French intelligence agencies and cybersecurity firm Sekoia played the most crucial role in this operation. PlugX was abandoned by its original operator but continued to spread independently, infecting almost 2.5mn (million) devices worldwide.
 
A report from BeingComputer says Sekoia took control of the abandoned C&C servers used by PlugX, which received up to 100,000 pings from infected hosts daily and had 2.5mn unique connections from 170 countries over six months.
 
"The security firm sinkholed the PlugX botnet so it could not be used to issue commands to infected devices. However, the malware remained active on people's systems, increasing the risk that malicious actors could take control of the botnet and revive the infections. Sekoia proposed a clean-up mechanism that uses a custom PlugX plugin pushed to infected devices to issue a self-deletion command that removes the infection," the report says.
 
Sekoia researchers came up with two disinfection methods to remotely clean infected workstations. The first method involved sending a simple and reliable self-delete command to the compromised workstation. The second method was more intrusive, as it aimed to send and execute specific code to remove PlugX from the workstation and from any connected flash drives, if present.
 
However, since this approach was intrusive and could lead to legal ramifications, the researchers from Sekoia shared their solution with national CERTs and LEAs.
 
"Since all participants wanted to prevent any side effects, only the first method of disinfection was used during the campaign. Therefore, technically speaking, the process was straightforward. If an IP address met one of the rules set by the operators, the sinkhole would respond with our disinfection payload, which consisted of just a few bytes. It would also save in a database which IP address received the payload, along with the rule it followed and the associated timestamp," Sekoia says in a blog post.
 
So what exactly is PlugX malware and how has it entered so many systems worldwide? 
 
First discovered in 2008, PlugX is a sophisticated remote access trojan (RAT) often associated with advanced persistent threat (APT) groups sponsored by a state actor, China in this case. PlugX has been used in various cyber-espionage campaigns since 2008. The malware allows attackers to remotely control infected systems, steal sensitive information and deploy additional malware.
 
The key features of PlugX are its ability to dynamic-link library (DLL) side-loading, modular design, persistence, encrypted communication and, last but not least, fileless operation. PlugX often gets deployed using legitimate software to load malicious DLLs, bypassing security detections. Its design features include keylogging, screen capture, file transfer and command execution.
 
PlugX uses techniques to ensure it stays active, such as modifying system registries or using scheduled tasks. It also ensures data exfiltration and C&C communication to remain stealthy. Most importantly, PlugX operates in memory to avoid detection by traditional file-based antivirus tools. This makes it very difficult for common users even to know that their systems are infected with the malware.
 
However, it does not mean that you cannot protect your systems or devices from a malware infection. You just need to follow a few simple rules, like not opening unsolicited email attachments or clicking on suspicious links. In addition, regularly update the operating system (OS) of your device and all software or apps installed. Use good quality security software or apps that provide endpoint detection and response (EDR) solutions to detect and block malicious activities. Regularly back up critical data and store backups offline.
 
You can also use a firewall and intrusion detection or prevention systems (IDS/IPS) to block unauthorised communications from your systems.
 
Stay Alert, Stay Safe!
Comments
Fraud Alert: 'Be Your Own Boss' Job Scams
Yogesh Sapkale, 10 January 2025
Yet another con was successfully executed by fraudsters in the name of quick and bumper returns through investment in the jewellery business. This is the story of the Torres, a scam that rocked Mumbai this week and was run through a...
Fraud Alert: Google Prompt and Authenticator Scams
Yogesh Sapkale, 03 January 2025
Adam Griffin from Seattle in the US is still in disbelief over how quickly he was robbed of nearly US$500,000 in cryptocurrencies. A scammer called him using a real Google phone number to warn his Gmail account was being hacked, sent...
When Warnings Fail: Need To Tackle Cybercrime through Gamification
Sucheta Dalal, 27 December 2024
If there is one area where the government and its regulators cannot be faulted, it is their tireless effort to warn citizens about cybercrime and fraud. All regulators, banks, stock exchanges, depositories, financial intermediaries...
Fraud Alert: App Installations from Web
Yogesh Sapkale, 27 December 2024
As researchers and techies continue to innovate, the increased use of progressive web apps (PWAs) and WebAPKs (Android package kits generated by the Chrome browser) are turning into powerful tools that bridge the gap between web and...
Free Helpline
Legal Credit
Feedback