French judicial authorities, in collaboration with Europol, have initiated a “disinfection operation” to eliminate compromised hosts infected with the PlugX malware.
The operation was launched by the Paris Prosecutor’s Office, Parquet de Paris, on July 18 and is expected to continue for several months.
According to the authorities, around a hundred victims in France, Malta, Portugal, Croatia, Slovakia, and Austria have already been assisted in cleaning up the malware.
This action comes after French cybersecurity firm Sekoia disclosed that it sinkholed a command-and-control (C2) server associated with the PlugX trojan in September 2023.
PlugX, also known as Korplug, is a remote access trojan (RAT) commonly utilized by threat actors with ties to China since 2008.
The malware is often deployed using DLL side-loading techniques, enabling attackers to execute commands, transfer files, and extract sensitive information from compromised systems.
Sekoia mentioned that PlugX has evolved over time and is linked to intrusion sets associated with the Chinese Ministry of State Security.
One of PlugX’s notable features is its ability to spread through infected USB drives, allowing it to infect air-gapped networks.
Sekoia explained that while infected workstations can be cleaned, removing PlugX from USB devices remains a challenge due to its persistence and ability to operate independently.
Considering the legal complexities, Sekoia is collaborating with national CERTs, law enforcement agencies, and cybersecurity authorities to address the widespread PlugX infections.
The company stated that a disinfection operation has been launched in France to dismantle the botnet controlled by the PlugX worm, with a solution developed by the Sekoia TDR team being deployed through Europol.
The joint effort involving various authorities aims to combat malicious cyber activities and protect victims worldwide.
