FBI Deletes PlugX Malware From Computers Infected by China Group – Source: securityboulevard.com

The FBI, with the help of French law enforcement and a private cybersecurity company, deleted a version of the PlugX malware from more than 4,200 infected computer in the United States that investigators claimed were implanted by a Chinese state-sponsored threat group to steal information.

The elimination of the remote access trojan (RAT) from the systems, which began in August 2024, was part of a months-long investigation that determined that the threat group Mustang Panda – also known as Twill Typhoon – had infected systems around the country since September 2023, and that during that time, at least 45,000 IP addresses in the United States have contacted the malware’s command-and-control (C2) server.

According to an affidavit filed in Federal District Court in Pennsylvania, Mustang Panda hackers were paid by the Chinese government to develop this version of PlugX – a malware that has been around for more than a decade – to control and steal data from the infected Windows computers, many of which were privately owned.

The malware is hard to detect and victims rarely can tell if their systems are infected, according to the affidavit by an FBI agent.

Latest China-Back Attack to Come to Light

The years-long intrusion into these systems is only the latest Chinese-backed cyberattack against the United States that has come to light over the past few years. Threat groups linked to the People’s Republic of China (PRC) government – such as Volt Typhoon, Salt Typhoon, and Flax Typhoon – have infiltrated government agencies and critical infrastructure organizations like telecommunications in major intrusions that in some cases the U.S. government is still getting its hands around.

“This wide-ranging hack and long-term infection of thousands of Windows-based computers, including many home computers in the United States, demonstrates the recklessness and aggressiveness of PRC state-sponsored hackers,” U.S. Attorney Jacqueline Romero for the Eastern District of Pennsylvania said in a statement.

Wide Use of PlugX

Mustang Panda has been using versions of PlugX since 2014 and over the years has used it to infiltrate computers of government and private organizations multiple countries – such as the United States – with targets that include European shipping companies last year, various European governments between 2021 and 2023, Chinese dissident groups.

Governments around Asia, including Taiwan, Japan, South Korea, India, and Pakistan, also have been targeted over the years.

Malware Spread Via USB Devices

The FBI agent in the affidavit said the version of the PlugX malware was spread through systems’ USB ports, infecting attached USB device and then was spread when the USB device was used in other systems.

“Once it has infected the victim computer, the malware remains on the machine (maintains persistence), in part by creating registry keys which automatically run the PlugX application when the computer is started,” the agent wrote. “Owners of computers infected by PlugX malware are typically unaware of the infection.”

The malware then contacts the C2 server seeking instructions, which could include gathering information about the infected system – such as its IP address – explore files on the system, and then delete, upload, download, or move those files.

The functions “allow the controller of the C2 server to identify a targeted victim, and then collect and stage the victim’s computer files for exfiltration,” the agent wrote.

Self-Deleting

The Justice Department operation came together in part thanks to French investigators and private cybersecurity pros at vendor Sekoia.io. According to the FBI agent’s affidavit, French law enforcement was able to get access into the PlugX variant’s C2 server, which was used to send commands to the infected computers.

Native to the variant’s functionality was a command from the C2 server to self-delete, which includes deleting files on the victim’s computer that were created by PlugX, deleting the PlugX registry keys that the system automatically run the malware when the infected system was turned on, stopping the malware, taking steps to delete it, and erasing any other evidence of infection.

In conjunction with French investigators, the FBI can send the self-delete command to any infected system, an operation that doesn’t harm any legitimate functions on the device. In addition, they also can identify targeted U.S.-based systems via another native functionality that requests the location of every infected computer, giving investigators a list of systems to send the self-delete command to.