French authorities, in collaboration with international cybersecurity experts, have dismantled a significant botnet operation that infected millions of devices worldwide, including several thousand in France. The botnet, operated using the malware PlugX, was primarily utilized for espionage purposes.
The investigation, initiated by the cybersecurity firm Sekoia, was taken up by the J3 section of the Paris Public Prosecutor's Office and entrusted to the C3N (the center for combating digital crimes of the national gendarmerie). The PlugX malware, classified as a Remote Access Trojan (RAT), was distributed via USB devices. Once installed, it allowed attackers to execute arbitrary commands and exfiltrate data from compromised systems.
Sekoia's analysts identified and seized control of a command and control (C2) server that managed the botnet, which was responsible for controlling millions of infected machines globally. Around 3,000 of these were located in France, with nearly 100,000 distinct victim devices receiving commands daily.
Removing PlugX payloads
In September 2023, Sekoia successfully sinkholed a command and control server linked to the PlugX worms by acquiring its unique IP address for $7. This server received daily connections from approximately 90,000 to 100,000 infected devices, highlighting the extensive reach of the botnet. Through this sinkholing operation, Sekoia not only monitored but also devised a method to remotely disinfect the infected workstations and USB devices, marking a significant step in countering this widespread threat.
In collaboration with the C3N, Sekoia developed a remote disinfection technique to cleanse the infected machines. This solution has been shared with foreign partners through Europol, indicating a robust international effort to tackle this cyber threat.
The disinfection campaign commenced on July 18, 2024, and will continue over the coming months. Already, hundreds of victims, predominantly in France but also in Malta, Portugal, Croatia, Slovakia, and Austria, have benefited from this initiative. By the end of 2024, French victims will receive individual notifications from the Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI), as stipulated by Article L. 33-14, paragraph 5 of the Postal and Electronic Communications Code.
Preventive measures
The Paris Public Prosecutor's Office emphasizes the importance of daily cybersecurity practices, particularly the use of up-to-date antivirus software and caution with unknown USB devices and links.
To prevent PlugX infections via USB devices, users should adopt measures such as avoiding using unknown or untrusted USB devices and scanning USB drives with updated antivirus software before accessing any files. Also, it's important to disable the autorun feature on computers to prevent the automatic execution of programs from USB devices.
SN_BLACKMETA Launched Record-Breaking Six-Day DDoS Attack
Leave a Reply