The FBI just closed a backdoor into thousands of computers by telling the malware to delete itself. According to a press release from the Department of Justice, the intelligence agency was able to successfully get PlugX, a piece of malware utilized by Chinese state-sponsored hacker groups to steal information from victims, to delete itself from the machines of its victims.
PlugX is a Remote Access Trojan that has been around since at least 2008, according to Malpedia, and has been a favorite tool of a notorious Chinese hacking group that is often referred to as “Mustang Panda” or “Twill Typhoon,” who have been using it to infect computers across the US, Asia, and Europe. The malware, which typically infects victims who plug an infected USB drive into their machines, grants the attackers full remote access to the system, including the ability to log keystrokes, capture screen activity, and execute commands.
To retrieve information from and send commands to the hacked machines, the malware connects to a command-and-control server that is operated by the hacking group. According to the FBI, at least 45,000 IP addresses in the US had back-and-forths with the command-and-control server since September 2023.
It was that very server that allowed the FBI to finally kill this pesky bit of malicious software. First, they tapped the know-how of French intelligence agencies, which had recently discovered a technique for getting PlugX to self-destruct. Then, the FBI gained access to the hackers’ command-and-control server and used it to request all the IP addresses of machines that were actively infected by PlugX. Then it sent a command via the server that causes PlugX to delete itself from its victims’ computers.
And just like that, PlugX was removed from more than 4,258 machines across the country, the FBI says. Similar operations carried out by partner law enforcement agencies cleared the malware from thousands of other machines around the world, too.
PlugX is likely far from dead, though. Cybersecurity firm Sekoia discovered a command-and-control server for the malware back in April 2024 and said that over the course of six months, it received pings from 2,500,000 unique devices from 170 countries. The malware has been a pain in the sides of security experts and has been used to target a wide range of victims. Per the FBI, in recent years it has been used to infect European shipping companies, government agencies across Europe and the Indo-Pacific, and Chinese dissident groups. For now, at least some of PlugX’s operations have been neutered, so that’s something.
Read the full article here
