French Authorities Remove PlugX Malware from Infected Devices

French police and Europol have announced the deployment of a “disinfection solution” that automatically removes the PlugX malware from infected devices in France. This operation is being carried out by law enforcement in cooperation with the French cybersecurity company Sekoia, whose specialists discovered and sinkholed the command-and-control server of an abandoned PlugX variant in April 2024.

Background on PlugX

The PlugX remote access trojan has long been used by various Chinese hacker groups in their attacks. New variants typically emerge to suit the needs of specific malicious campaigns. Cybersecurity experts have known about PlugX since 2008, and it is believed to have been developed in China and used by several “government-affiliated” hacking groups.

Discovery and Spread of PlugX

In April, Sekoia specialists discovered a command-and-control server for a PlugX variant that was spreading via USB drives. Although the botnet had been abandoned by its operators, it continued to spread like a worm, infecting about 2.5 million devices. The experts took control of the abandoned malware servers, which were receiving up to 100,000 requests daily from infected hosts. Over six months, about 2.5 million unique IP addresses from 170 countries connected to these servers.

While Sekoia successfully sinkholed the command servers to prevent them from issuing commands to infected devices, the malware remained active on compromised systems. This increased the risk that attackers could regain control of the botnet and resume their attacks.

Development of a Cleaning Mechanism

As a result, Sekoia experts developed a cleaning mechanism for infected devices. This uses a custom PlugX plugin installed on compromised systems, which instructs the malware to self-destruct.

Researchers also proposed a method to check connected USB drives for malware (with the goal of removing it). However, automatic cleaning of USB drives could damage the device and block access to legitimate files, so this approach was deemed too risky.

Legal Considerations and Law Enforcement Involvement

Because removing PlugX from infected devices could have legal implications, the researchers shared their solutions with law enforcement agencies. “Given the potential legal issues that could arise from a large-scale cleaning campaign—one that would involve sending arbitrary commands to workstations we do not own—we decided to leave this decision to regional CERTs, law enforcement, and cybersecurity authorities,” Sekoia wrote in their April report.

Europol has now received Sekoia’s cleaning solution and is distributing it to partner countries to help remove the malware.

PlugX Removal Operation in France and Other Countries

With the 2024 Olympic Games set to begin in Paris this week, French authorities deemed the risk from 3,000 PlugX-infected systems found in France unacceptable. As a result, PlugX is now being removed from infected systems in France, as well as in Malta, Portugal, Croatia, Slovakia, and Austria. The malware removal operation began on July 18, 2024, and is expected to last several months, concluding by the end of 2024.

The French National Cybersecurity Agency (ANSSI) will individually notify all PlugX victims in France about the cleaning process and its impact on their devices.