News: 1736883654

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

FBI wipes Chinese PlugX malware from thousands of Windows PCs in America

(2025/01/14)


The FBI, working with French cops, obtained nine warrants to remotely wipe PlugX malware from thousands of Windows-based computers that had been infected by Chinese government-backed criminals, according to newly unsealed court documents.

The Feds had been tracking a crew called [1]Mustang Panda , aka Twill Typhoon, for years, and claimed the Beijing-linked team had broken into “numerous government and private organizations” in the US, Europe, and Indo-Pacific region.

“Significant foreign targets include European shipping companies in 2024, several European Governments from 2021 to 2023, worldwide Chinese dissident groups, and governments throughout the Indo-Pacific,” American prosecutors noted

[2]PDF

in court filings.

[3]

According to the Feds, the People’s Republic of China paid Mustang Panda to, among other computer intrusion services, provide malware including PlugX.

[4]

[5]

The crew used a version of PlugX that allowed the miscreants to remotely access and control infected machines, steal files, and deploy additional malware. As detailed in the unsealed application for a search and seizure warrant to wipe the software from people's Microsoft Windows PCs:

This variant of PlugX malware spreads through a computer’s USB port, infecting attached USB devices, and then potentially spreading to other Windows-based computers that the USB device is later plugged into. Once it has infected the victim computer, the malware remains on the machine (maintains persistence), in part by creating registry keys which automatically run the PlugX application when the computer is started. Owners of computers infected by PlugX malware are typically unaware of the infection.

Yes, via USB flash drives. How very [6]Stuxnet . That would allow the snoops to bypass air gaps and similar defenses.

[7]French law enforcement [PDF] and Sekoia.io, a France-based private cybersecurity company, were able to pull the plug on PlugX, and shut down the operation, in 2023 after [8]Sekoia compromised the system behind the lone IP address used by Mustang Panda to remotely control computers infected with the software nasty.

That move came after Sophos [9]documented the USB-hopping PlugX earlier that year. Devices behind 45,000 IP addresses in the US alone had attempted to connect to that one remote-control server since its takedown, we're told.

[10]Undiplomatic Chinese threat actor attacks embassies and foreign affairs departments

[11]Chinese malware intended to infect USB drives accidentally infects networked storage too

[12]China's cyber intrusions took a sinister turn in 2024

[13]China's Volt Typhoon crew and its botnet surge back with a vengeance

Then in August 2024, the US Justice Department and FBI went to court to obtain nine warrants authorizing the deletion of PlugX from machines in America, which was then carried out. The last of these warrants expired on January 3, and in total, the operation wiped PlugX from about 4,258 US-based systems.

As we understand it, the Feds tested a self-destruct command built into PlugX that would remove the malicious code from infected machines, and then remotely ran that command on infected PCs to erase the software. The command was issued from a server using the IP address previously used to control the bots that was seized by the French.

[14]

According to the FBI, this self-delete command did the following:

a. delete the files created by the PlugX malware on the victim computer,

b. delete the PlugX registry keys used to automatically run the PlugX application when the victim computer is started,

c. create a temporary script file to delete the PlugX application after it is stopped,

d. stop the PlugX application, and

e. run the temporary file to delete the PlugX application, delete the directory created on the victim computer by the PlugX malware to store the PlugX files, and delete the temporary file from the victim computer.

The PlugX removal follows other international operations against China’s [15]Volt Typhoon (although its botnet appears to be [16]back in action ) and [17]Flax Typhoon , and [18]Russia’s APT28 (aka Fancy Bear).

“This wide-ranging hack and long-term infection of thousands of Windows-based computers, including many home computers in the United States, demonstrates the recklessness and aggressiveness of PRC state-sponsored hackers,” US Attorney Jacqueline Romero [19]said in a statement today.

The FBI says it is notifying US victims via their internet service providers that their Windows machines had been infected by the malware and were cleaned up during this operation. ®

Get our [20]Tech Resources



[1] https://www.theregister.com/2023/06/23/camaro_dragon_usb_malware_spreads/

[2] https://regmedia.co.uk/2025/01/14/plugx_malware_search_and_seizure_application.pdf

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z4bsm_9jyF4FcyWCI7XSkAAAAEg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z4bsm_9jyF4FcyWCI7XSkAAAAEg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z4bsm_9jyF4FcyWCI7XSkAAAAEg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[6] https://www.theregister.com/2012/06/12/stuxnet_flame_links_discovered_by_security_researchers/

[7] https://www.tribunal-de-paris.justice.fr/sites/default/files/2024-07/2024-07-24%20-%20CP%20d%C3%A9mant%C3%A8lement%20botnet%20d%27espionnage%20plugX.pdf

[8] https://blog.sekoia.io/plugx-worm-disinfection-campaign-feedbacks/

[9] https://news.sophos.com/en-us/2023/03/09/border-hopping-plugx-usb-worm/

[10] https://www.theregister.com/2023/07/04/smugx_europe_china_attack_europe/

[11] https://www.theregister.com/2023/06/23/camaro_dragon_usb_malware_spreads/

[12] https://www.theregister.com/2024/12/31/china_cyber_intrusions_2024/

[13] https://www.theregister.com/2024/11/13/china_volt_typhoon_back/

[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z4bsm_9jyF4FcyWCI7XSkAAAAEg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[15] https://www.theregister.com/2024/01/31/volt_typhoon_botnet/

[16] https://www.theregister.com/2024/11/13/china_volt_typhoon_back/

[17] https://www.theregister.com/2024/09/18/fbi_flax_typhoon_ransomware/

[18] https://www.theregister.com/2024/02/15/feds_go_fancy_bear_hunting/

[19] https://www.justice.gov/opa/pr/justice-department-and-fbi-conduct-international-operation-delete-malware-used-china-backed

[20] https://whitepapers.theregister.com/



Anonymous Coward

Since infection is likely due to user stupidity, it's a shame the fix can't automatically fill usb ports with hot glue

Scary

Will Godfrey

Regardless of the intent for this case, is anyone else a bit disturbed by the idea of America unilaterally wiping software from other peoples computers?

If they remove something, might they not also put 'a little something' back in there?

Re: Scary

Richard Boyce

This was done openly with a court order and using the malware itself and it seems that only computers in the US were cleaned up. If they had also added software at the same time, they'd be taking a ridiculously large risk, especially when other branches of government can do so more covertly.

Re: Scary

Anonymous Coward

And you trust them?

The double standards

VoiceOfTruth

The Feds had been tracking a crew called Mustang Panda, aka Twill Typhoon, for years, and claimed the Beijing-linked team had broken into “numerous government and private organizations” in the US, Europe, and Indo-Pacific region.

Which is exactly what the USA does. So where are the court filings? The egregious double standards, the Übermensch mentality of the USA is in plain sight.

“This wide-ranging hack and long-term infection of thousands of Windows-based computers, including many home computers in the United States, demonstrates the recklessness and aggressiveness of PRC state-sponsored hackers,” US Attorney Jacqueline Romero said in a statement today.

Ah diddums. If the USA didn't do it 1000 times greater, it might be able to play the victim card. What goes around comes around.

We can predict everything, except the future.