In an unprecedented effort to combat malware, the Sekoia Threat Detection & Research team spearheaded a campaign to disinfect thousands of systems infected with the PlugX worm. This malware, linked to the notorious Mustang Panda group, spreads through infected flash drives, posing a significant threat to global cybersecurity.
This operation, a testament to the power of collaborative threat intelligence and action, saw Sekoia team up with national CERTs and law enforcement agencies from over 20 countries. The campaign targeted a variant of PlugX associated with the notorious Mustang Panda threat group, known for its worming capabilities and penchant for infecting removable drives.
Sekoia’s journey began in September 2023 when they gained control of a key IP address used by the PlugX worm. This breakthrough allowed them to analyze the malware’s behavior and develop disinfection methods, as detailed in their blog post and presentation at BotConf 2024.
“Creating a disinfection process is somewhat more complex than setting up a simple sinkhole,” Sekoia explained in their latest report. To facilitate this complex process, Sekoia developed a user-friendly interface that empowered each participating country to:
- Access critical statistics: Gain insights into compromised assets within their borders.
- Pinpoint disinfection targets: Select specific autonomous systems, CIDR blocks, or IP addresses for targeted cleaning.
- Initiate country-wide disinfection: Activate comprehensive disinfection operations with ease.
To ensure safety and minimize potential side effects, the campaign employed a self-delete command as the primary disinfection method. Sekoia’s sinkhole, acting as a central command point, responded to requests from infected machines with this self-destruct payload.
The results of this groundbreaking campaign speak for themselves:
- 34 countries received sinkhole logs to identify compromised networks within their jurisdictions.
- 22 countries expressed keen interest in the disinfection process.
- 10 countries actively participated in the disinfection operation, supported by a robust legal framework.
“This disinfection campaign was the first of its kind for us—a proof of concept for sovereign disinfection,” Sekoia reported. The campaign successfully neutralized the threat on 5,539 IP addresses, sending a total of 59,475 disinfection payloads.
Related Posts:
- France Leads International Effort to Eradicate PlugX Trojan from 3,000 Systems
- PlugX malware: The Enigma of Cyber Espionage Unveiled
- Researchers discover the first IoT worm that capable of surviving device reboots
- Zscaler found 150 Android apps infected with Windows malware
- Earth Preta’s Targeted Asian Campaigns: The DOPLUGS Malware Threat
