The FBI has just closed a back door to thousands of computers by forcing malware to remove itself. According to a press release from the Department of Justice, the intelligence agency was able to successfully force PlugX, a malware used by Chinese state hacking groups to steal information from victims, to remove itself from its victims’ computers.
According to Malpedia, PlugX is a remote access trojan that has been around since at least 2008, and has been a favorite tool of the infamous Chinese hacking group often referred to as “Mustang Panda” or “Twill Typhoon”, which has used it to infect computers in the United States, Asia, and Europe. The malware, which typically infects victims who plug an infected USB drive into a computer, gives attackers full remote access to the system, including the ability to log keystrokes, intercept screen activity, and execute commands.
To receive information and send commands to compromised computers, the malware connects to a command and control server operated by a hacker group. According to the FBI, since September 2023, at least 45,000 IP addresses in the United States have been exchanging data with the command and control server.
It was this server that allowed the FBI to finally take down this annoying piece of malware. First, they took advantage of the know-how of the French intelligence services, which had recently discovered a technique that allowed PlugX to self-destruct. The FBI then gained access to the hackers’ command and control server and used it to request all the IP addresses of computers that were actively infected with PlugX. A command was then sent through the server to force PlugX to remove itself from the victims’ computers.
This is how PlugX was removed from more than 4,258 computers across the country, according to the FBI. Similar operations conducted by partner law enforcement agencies have cleaned thousands of other computers around the world.
However, PlugX is probably far from dead. Cybersecurity firm Sekoia discovered the malware’s command-and-control server back in April 2024 and reported that it received pings from 2,500,000 unique devices from 170 countries over a six-month period. The malware has been a headache for security experts and has been used to target a wide range of victims. According to the FBI, it has been used in recent years to infect European shipping companies, government agencies across Europe and the Indo-Pacific, and Chinese dissident groups. At least some of the PlugX operations have now been neutered, so that’s something.
