The FBI says it has removed PlugX malware from thousands of infected computers worldwide.
The move came after suspicion that cybercriminals groups under control of the People’s Republic of China (PRC) used a version of PlugX malware to control, and steal information from victims’ computers.
PlugX has been around since at least 2008 but is under constant development. With the remote access it provides criminals, it is often used to spy on users and plant additional malware on interesting systems.
Among others, the PlugX Remote Access Trojan (RAT) was used in a lasting campaign uncovered last year in which a Chinese group known as “Velvet Ant” used compromised F5 BIG-IP appliances to gain access to networks, managing to stay hidden for years.
US Attorney Jacqueline Romero for the Eastern District of Pennsylvania commented:
“This wide-ranging hack and long-term infection of thousands of Windows-based computers, including many home computers in the United States, demonstrates the recklessness and aggressiveness of PRC state-sponsored hackers.”
After researchers found out that thousands of infected machines reported to one specific IP address, they managed to seize control over the IP address that served as a Command & Control (C2) server.
In close cooperation with the French authorities, the FBI and Justice Department used this IP address to “sinkhole” the botnet. Sinkholing in this context means that the redirection of traffic from its original destination to one specified by the sinkhole owners. The altered destination is known as the sinkhole.
With control of the sinkhole, a specially configured DNS server can simply route the requests of the bots to a fake C2 server. This provides the controller of the sinkhole with valuable information about the affected systems and an opportunity to send commands to delete the PlugX version from the connecting devices.
FBI special agent in Charge Wayne Jacobs of the FBI Philadelphia Field Office said:
“The FBI worked to identify thousands of infected US computers and delete the PRC malware on them. The scope of this technical operation demonstrates the FBI’s resolve to pursue PRC adversaries no matter where they victimize Americans.”
The FBI says it is notifying those who had the malware deleted from their computers via their internet service providers (ISPs).
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.