French police push PlugX malware self-destruct payload to clean PCs

The French police and Europol are pushing out a “disinfection solution” that automatically removes the PlugX malware from infected devices in France.

The operation is conducted by the Center for the Fight Against Digital Crime (C3N) of the National Gendarmerie with assistance by French cybersecurity firm Sekoia, which sinkholed a command and control server for a widely distributed PlugX variant last April.

PlugX is a remote access trojan that has been deployed by multiple Chinese threat actors for a long time. New variants are modified and released according to a malicious campaign’s operational needs.

Cybersecurity firm Sekoia previously reported on a botnet for a PlugX variant that spread through USB flash drives. This botnet was abandoned by its original operator, but it continued to spread independently, infecting almost 2.5 million devices.

Sekoia took control of the abandoned command and control servers, which received up to 100,000 pings from infected hosts daily and had 2,500,000 unique connections from 170 countries over six months.

The security firm sinkholed the PlugX botnet so it could not be used to issue commands to infected devices. However, the malware remained active on people’s systems, increasing the risk that malicious actors could take control of the botnet and revive the infections.

Sekoia proposed a clean-up mechanism that uses a custom PlugX plugin pushed to infected devices to issue a self-deletion command that removes the infection.

The researchers also proposed a method to scan connected USB flash drives for the malware and remove it. However, automatically cleaning USB drives could damage the media and prevent access to legitimate files, making the approach risky.

As this approach is intrusive and could lead to legal ramifications, the researchers shared their solution with law enforcement.

“Given the potential legal challenges that could arise from conducting a widespread disinfection campaign, which involves sending an arbitrary command to workstations we do not own, we have resolved to defer the decision on whether to disinfect workstations in their respective countries to the discretion of national Computer Emergency Response Teams (CERTs), Law Enforcement Agencies (LEAs), and cybersecurity authorities,” explained Sekoia in their April report.

Cleaning French devices

According to C3N, Europol received a disinfection solution from Sekoia, which is being shared with partner countries to remove the malware from devices in their countries.

While Sekoia told BleepingComputer that they could not share details about the solution, it is likely a similar solution to the PlugX module they described in their report.

With the Paris 2024 Olympic Games approaching, the French authorities, including all cybersecurity stakeholders, are on high alert, so the risk of PlugX found in 3,000 systems in France was considered unacceptable.

Hence, PlugX payloads are now being removed from infected systems in France, but also in Malta, Portugal, Croatia, Slovakia, and Austria.

The disinfection operation started on July 18, 2024, and is expected to continue for several months, possibly ending in late 2024.

The National Agency for the Security of Information Systems (ANSSI) will individually notify victims in France about the clean-up process and how it impacts them.

It’s worth noting that this particular PlugX variant spreads via infected USB drives, and it is not known if Sekoia’s solution includes the ability to remove the malware from removable media.

People are advised to be cautious when plugging their USB sticks into systems at printing shops and other places that receive many physical connections daily and to scan their devices afterward before connecting them to systems holding sensitive data.

BleepingComputer contacted Europol and the French authorities with questions about the disinfection solution but has not received a reply yet.

---