OVERKILL
$100 Site Donor 2021
https://www.bleepingcomputer.com/ne...e-plugx-malware-from-over-4-000-us-computers/
The U.S. Department of Justice announced today that the FBI has deleted Chinese PlugX malware from over 4,200 computers in networks across the United States.
The malware, controlled by the Chinese cyber espionage group Mustang Panda (also tracked as Twill Typhoon), infected thousands of systems using a PlugX variant with a wormable component that allowed it to spread through USB flash drives.
According to court documents, the list of victims targeted using this malware includes "European shipping companies in 2024, several European Governments from 2021 to 2023, worldwide Chinese dissident groups, and governments throughout the Indo-Pacific (e.g., Taiwan, Hong Kong, Japan, South Korea, Mongolia, India, Myanmar, Indonesia, Philippines, Thailand, Vietnam, and Pakistan)."
*SNIP*
"In August 2024, the Justice Department and FBI obtained the first of nine warrants in the Eastern District of Pennsylvania authorizing the deletion of PlugX from U.S.-based computers," the Justice Department said today.
"The last of these warrants expired on Jan. 3, 2025, thereby concluding the U.S. portions of the operation. In total, this court-authorized operation deleted PlugX malware from approximately 4,258 U.S.-based computers and networks."
The command sent to infected computers by the FBI told the PlugX malware:
Cybersecurity firm Sekoia previously discovered a botnet of devices infected with the same PlugX variant, taking control of its command and control (C2) server at 45.142.166[.]112 in April 2024. Sekoia said that, over six months, the botnet's C2 server received up to 100,000 pings from infected hosts daily and had 2,500,000 unique connections from 170 countries.
PlugX has been used in attacks since at least 2008, mainly in cyber espionage and remote access operations by groups linked to the Chinese Ministry of State Security. Multiple threat groups have used it to target government, defense, technology, and political organizations, primarily in Asia and later expanding to the rest of the world.
A bit wild that the "disinfection" involves directing the malware to delete itself...
Wild that this software has been around since at least 2008, that's some crazy staying power (though it has received updates).
The U.S. Department of Justice announced today that the FBI has deleted Chinese PlugX malware from over 4,200 computers in networks across the United States.
The malware, controlled by the Chinese cyber espionage group Mustang Panda (also tracked as Twill Typhoon), infected thousands of systems using a PlugX variant with a wormable component that allowed it to spread through USB flash drives.
According to court documents, the list of victims targeted using this malware includes "European shipping companies in 2024, several European Governments from 2021 to 2023, worldwide Chinese dissident groups, and governments throughout the Indo-Pacific (e.g., Taiwan, Hong Kong, Japan, South Korea, Mongolia, India, Myanmar, Indonesia, Philippines, Thailand, Vietnam, and Pakistan)."
*SNIP*
"In August 2024, the Justice Department and FBI obtained the first of nine warrants in the Eastern District of Pennsylvania authorizing the deletion of PlugX from U.S.-based computers," the Justice Department said today.
"The last of these warrants expired on Jan. 3, 2025, thereby concluding the U.S. portions of the operation. In total, this court-authorized operation deleted PlugX malware from approximately 4,258 U.S.-based computers and networks."
The command sent to infected computers by the FBI told the PlugX malware:
- Delete the files created by the PlugX malware on the victim's computer,
- Delete the PlugX registry keys used to automatically run the PlugX application when the victim computer is started,
- Create a temporary script file to delete the PlugX application after it is stopped,
- Stop the PlugX application and
- Run the temporary file to delete the PlugX application, delete the directory created on the victim computer by the PlugX malware to store the PlugX files, and delete the temporary file from the victim computer.
Cybersecurity firm Sekoia previously discovered a botnet of devices infected with the same PlugX variant, taking control of its command and control (C2) server at 45.142.166[.]112 in April 2024. Sekoia said that, over six months, the botnet's C2 server received up to 100,000 pings from infected hosts daily and had 2,500,000 unique connections from 170 countries.
PlugX has been used in attacks since at least 2008, mainly in cyber espionage and remote access operations by groups linked to the Chinese Ministry of State Security. Multiple threat groups have used it to target government, defense, technology, and political organizations, primarily in Asia and later expanding to the rest of the world.
A bit wild that the "disinfection" involves directing the malware to delete itself...
Wild that this software has been around since at least 2008, that's some crazy staying power (though it has received updates).
