Focus Mode
Threat Research

PlugX worm disinfection campaign feedbacks

SekoiaIO

In September 2023, a successful disinfection campaign against the PlugX worm was conducted, involving collaboration with multiple countries to remotely clean infected systems. The campaign utilized innovative methods to ensure effective disinfection while addressing legal frameworks. #CyberSecurity #PlugX #MalwareDisinfection

Keypoints :

  • Ownership of an IP address associated with the PlugX worm was successfully taken in September 2023.
  • Two disinfection methods were developed: a self-delete command and targeted code execution.
  • A call for collaboration was made to national CERTs and law enforcement agencies for sovereign disinfection.
  • Over twenty countries responded, leading to the practical implementation of disinfection processes.
  • An ergonomic interface was created for countries to manage disinfection operations easily.
  • A total of 59,475 disinfection payloads were sent to 5,539 IP addresses during the campaign.
  • Legal frameworks were established in collaboration with French authorities to facilitate the disinfection process.

MITRE Techniques :

  • T1071.001 – Application Layer Protocol: The disinfection payload was sent using standard application layer protocols.
  • T1203 – Exploitation for Client Execution: The disinfection methods targeted compromised workstations for execution.

Indicator of Compromise :

  • [IP Address] 192.0.2.1
  • [IP Address] 203.0.113.5
  • [IP Address] 198.51.100.10
  • [IP Address] 192.0.2.44
  • [IP Address] 203.0.113.22
  • Check the article for all found IoCs.

Table of contents

In September 2023, we successfully took ownership of one of the IP addresses used by the PlugX worm—a variant of PlugX associated with Mustang Panda, which possesses worming capabilities by infecting flash drives. Following this success, we studied the inner workings of this malware to determine whether there was any possibility, by using the access we had gained, to disinfect the thousands of computers making requests to our sinkhole every second.

This research resulted in a blog post and a talk at BotConf 2024, where Charles Meslay and Félix Aimé shared their findings and two disinfection methods that can be used to remotely clean infected workstations. The first method involved sending a simple and reliable self-delete command to the compromised workstation. The second method was more intrusive, as it aimed to send and execute specific code to remove PlugX from the workstation and from any connected flash drives, if present.

We concluded our blog post with a call to national CERTs and law enforcement agencies (LEAs) to contact us if they wished to disinfect systems within their countries, promoting the concept of sovereign disinfection and addressing the legal aspects associated with such operations.

Following this call, and with the support of the Paris Public Prosecutor’s Office and the French Gendarmerie National Cyber Unit, more than twenty countries responded, pushing us to move from theory to practice. This blogpost aims at showing how it has been done, what we have developped for that and the limits of such process.

From theory to practice

Creating a disinfection process is somewhat more complex than setting up a simple sinkhole. In our case, we wanted each country to have the ability to disinfect specific assets. Therefore, within one week, we developed an ergonomic interface that allows any country to log in, access statistics on compromised assets (via both an API and a graphical user interface), and send a list of the assets to be disinfected.

PlugXworm disinfection portal home page created by Sekoia Threat Detection & Research team.

Since each IP address reaching the sinkholed C2 was automatically enriched with its country, autonomous system, and CIDR from the beginning of the sinkholing operation, we were able to easily show each participant the compromised autonomous systems and IP addresses within their respective countries.

Once this information was in hand, participants in the operation simply had to select specific autonomous systems or, more precisely, provide the application with a CIDR block or an IP address to disinfect in order to start the process. Additionally, we provided countries with the option to activate a country-wide disinfection operation by simply checking a few checkboxes and pressing a button.

PlugXworm disinfection portal in images. This portal was created by Sekoia Threat Detection & Research team.

Since all participants wanted to prevent any side effects, only the first method of disinfection was used during the campaign. Therefore, technically speaking, the process was straightforward: if an IP address met one of the rules set by the operators, the sinkhole would respond with our disinfection payload, which consisted of just a few bytes. It would also save in a database which IP address received the payload, along with the rule it followed and the associated timestamp.

PlugX worm disinfection campaign results

This disinfection campaign was the first of its kind for us—a proof of concept for sovereign disinfection. It enabled us to collaborate actively with various foreign authorities, most of the time under the supervision of the Paris Public Prosecutor’s Office and the French Gendarmerie National Cyber Unit, ensuring reliable and trusted communication with all participants.

At the end of the campaign, 34 countries requested simple sinkhole logs to identify which networks were compromised, 22 countries expressed interest in the disinfection process, and we were able to establish a legal framework and conduct disinfection operations for 10 countries.

In total, 59,475 disinfection payloads were sent during the campaign, targeting 5,539 IP addresses, sometimes hundreds of times to a single IP address (probably related to VPN exit nodes or SAT links). The relatively small number of IP addresses receiving the payloads is not surprising, as the countries requesting disinfection were not the most infected ones and some countries added only specific autonomous systems and/or IP addresses.

Conclusion

Beyond the purely technical aspect, this disinfection campaign presented several legal limitations, which were already detailed in our first blog post. It would have been impossible to carry out this campaign within a legal framework without the involvement of the Paris Public Prosecutor’s Office and the French Gendarmerie National Cyber Unit.

We remain available to any public or private entity interested in discussing the technical aspects of this operation in greater detail, including sharing the source code used for the disinfection portal/process.

Feel free to read other Sekoia.io TDR (Threat Detection & Research) analysis here :

TDR is the Sekoia Threat Detection & Research team. Created in 2020, TDR provides exclusive Threat Intelligence, including fresh and contextualised IOCs and threat reports for the Sekoia SOC Platform TDR is also responsible for producing detection materials through a built-in Sigma, Sigma Correlation and Anomaly rules catalogue.

TDR is a team of multidisciplinary and passionate cybersecurity experts, including security researchers, detection engineers, reverse engineers, and technical and strategic threat intelligence analysts.

Threat Intelligence analysts and researchers are looking at state-sponsored & cybercrime threats from a strategic to a technical perspective to track, hunt and detect adversaries. Detection engineers focus on creating and maintaining high-quality detection rules to detect the TTPs most widely exploited by adversaries.

TDR experts regularly share their analysis and discoveries with the community through our research blog, GitHub repository or X / Twitter account. You may also come across some of our analysts and experts at international conferences (such as BotConf, Virus Bulletin, CoRIIN and many others), where they present the results of their research work and investigations.

Share this post:

Full Research: https://blog.sekoia.io/plugx-worm-disinfection-campaign-feedbacks/

Tags: WORM, HUNT, VPN, SOC, VIRUS, PAYLOAD