FBI removes PlugX malware from computers infected by Chinese group

The FBI, with the help of French law enforcement and a private cybersecurity firm, removed a version of the PlugX malware from more than 4,200 infected computers in the United States that investigators said was implanted by a Chinese state-owned threat group to steal information.

Removing the Remote Access Trojan (RAT) from systems, which began in August 2024, was part of a months-long investigation that found the Mustang Panda threat group, also known as Twill Typhoon, had infected systems across the country since September 2023, and that this time, at least 45,000 IP addresses in the United States connected to the malware’s command-and-control (C2) server.

According to the oath filed in Federal District Court in Pennsylvania, the Chinese government paid the Mustang Panda hackers to develop this version of PlugX — a malware that’s been around for more than a decade — to control and steal data from infected Windows computers, many of which were privately owned.

The malware is difficult to detect, and victims rarely can tell if their systems are infected, according to an FBI agent’s testimony.

The latest attack from China has become known

The years-long intrusion into these systems is just the latest Chinese-backed cyberattack on the United States to come to light in the past few years. Threat groups associated with the government of the People’s Republic of China (PRC), such as Volt Typhoon, Salt typhoonand Linen typhoon – infiltrated state institutions and organizations of critical infrastructure like telecommunications during major incursions, which in some cases the US government still undertakes.

“This large-scale hacking and prolonged infection of thousands of Windows-based computers, including many home computers in the United States, demonstrates the recklessness and aggressiveness of the PRC state-sponsored hackers,” said Jacqueline Romero, U.S. Attorney for the Eastern District. pennsylvania the statement says.

Extensive use of PlugX

Mustang Panda has been using versions of PlugX since 2014 and has used it over the years to break into the computers of government and private organizations in many countries, such as the United States, with targets that include European transport companies last year, various European governments between 2021 to 2023, Chinese dissident groups.

Governments in Asia, including Taiwan, Japan, South Korea, India and Pakistan, have also been targeted over the years.

Malware is spread through USB devices

An FBI agent said in a statement that a version of the PlugX malware spread through the systems’ USB ports, infecting a plugged-in USB device and then spreading when the USB device was used on other systems.

“Once a victim computer is infected, the malware remains on the machine (persistent), in part by creating registry keys that automatically launch the PlugX program when the computer starts up,” the agent wrote. “Owners of computers infected with the PlugX malware are usually unaware of the infection.”

The malware then communicates with the C2 server, receiving instructions that may include gathering information about the infected system, such as its IP address, examining files on the system, and then deleting, downloading, uploading, or moving those files.

These features “allow the C2 server controller to identify a target victim and then collect and expose the victim’s computer files for hijacking,” the agent wrote.

Self-delete

The Justice Department’s operation was carried out in part by French investigators and private cybersecurity specialists from vendor Sekoia.io. According to an FBI agent’s affidavit, French law enforcement was able to access the C2 server of the PlugX variant, which was used to send commands to infected computers.

The variant’s own functionality was a command from the C2 server to self-delete, which includes deleting files on the victim’s computer created by PlugX, deleting PlugX registry keys so that the system automatically runs the malware when the infected system is powered on. , stop the malware, take steps to remove it, and remove any other evidence of infection.

Together with French investigators, the FBI can send a self-delete command to any infected system, an operation that does not harm any legitimate functions of the device. In addition, they can also identify target systems in the US with another built-in feature that requests the location of each infected computer, providing researchers with a list of systems to send a self-delete command to.