Carding Forum
Professional
French experts have found a way to remove the PlugX Trojan.
A large-scale operation to remove the PlugX Trojan from infected devices has begun in 6 countries around the world. The campaign was organized by the French police with the support of Europol and the French information security company Sekoia.
PlugX is a Remote Access Trojan( RAT) that has long been used by Chinese hackers. New versions of PlugX are modified and released depending on the current needs of attackers.
In April, Sekoia took control of the C2 server of one of the PlugX variants. The malware spread through USB drives, creating a botnet that continued to infect devices even after it was left unattended by the operator. As a result, in 6 months of independent operation, the Trojan infected about 2.5 million devices worldwide. Since the botnet remained active, it could have been hijacked by other cybercriminals.
To eliminate the threat, Sekoia specialists proposed a cleaning mechanism that uses a special plug-in for PlugX, which sends a command to the device to self-destruct the malware. A method for scanning connected USB drives to remove the Trojan was also proposed. However, automatic cleaning of USB drives could damage the media and lead to the loss of legitimate files, which made this approach risky.
Given the legal difficulties that could arise during a large-scale clean-up campaign, Sekoia has passed on its decision to Computer Incident Response Teams (certs), law enforcement agencies, and information security regulators.
Europol received a "sanitizer" and shared it with partner countries to remove PlugX from devices. Although details about the cleaning mechanism were not disclosed, it is likely that the program created is similar to the PlugX module described in the April Sekoia report.
In the midst of the 2024 Olympic Games in Paris, the French authorities are on high alert, and the risk of having PlugX in their systems in France is unacceptable. Therefore, PlugX is now being removed from infected systems not only in France, but also in Malta, Portugal, Croatia, Slovakia and Austria. The clean-up operation began on July 18 and will last for several months, probably until the end of the year.
It is noted that this version of PlugX is distributed via infected USB drives, and it is not known whether the Sekoia solution includes the ability to remove malware from removable media. Users are advised to use caution when connecting USB flash drives to computers in print shops and other places where there are many physical connections on a daily basis, and to scan their devices before connecting them to systems with sensitive data.
Europol and the French authorities did not comment.
Source
A large-scale operation to remove the PlugX Trojan from infected devices has begun in 6 countries around the world. The campaign was organized by the French police with the support of Europol and the French information security company Sekoia.
PlugX is a Remote Access Trojan( RAT) that has long been used by Chinese hackers. New versions of PlugX are modified and released depending on the current needs of attackers.
In April, Sekoia took control of the C2 server of one of the PlugX variants. The malware spread through USB drives, creating a botnet that continued to infect devices even after it was left unattended by the operator. As a result, in 6 months of independent operation, the Trojan infected about 2.5 million devices worldwide. Since the botnet remained active, it could have been hijacked by other cybercriminals.
To eliminate the threat, Sekoia specialists proposed a cleaning mechanism that uses a special plug-in for PlugX, which sends a command to the device to self-destruct the malware. A method for scanning connected USB drives to remove the Trojan was also proposed. However, automatic cleaning of USB drives could damage the media and lead to the loss of legitimate files, which made this approach risky.
Given the legal difficulties that could arise during a large-scale clean-up campaign, Sekoia has passed on its decision to Computer Incident Response Teams (certs), law enforcement agencies, and information security regulators.
Europol received a "sanitizer" and shared it with partner countries to remove PlugX from devices. Although details about the cleaning mechanism were not disclosed, it is likely that the program created is similar to the PlugX module described in the April Sekoia report.
In the midst of the 2024 Olympic Games in Paris, the French authorities are on high alert, and the risk of having PlugX in their systems in France is unacceptable. Therefore, PlugX is now being removed from infected systems not only in France, but also in Malta, Portugal, Croatia, Slovakia and Austria. The clean-up operation began on July 18 and will last for several months, probably until the end of the year.
It is noted that this version of PlugX is distributed via infected USB drives, and it is not known whether the Sekoia solution includes the ability to remove malware from removable media. Users are advised to use caution when connecting USB flash drives to computers in print shops and other places where there are many physical connections on a daily basis, and to scan their devices before connecting them to systems with sensitive data.
Europol and the French authorities did not comment.
Source
