A groundbreaking malware disinfection campaign targeting the PlugX worm has been executed with the collaboration of international authorities.
Led by the Sekoia Threat Detection & Research team, the operation disinfected compromised systems across multiple countries.
The PlugX worm, often linked to Mustang Panda, can spread through infected flash drives, making it highly pervasive. After gaining control of a key command-and-control (C2) server in 2023, Sekoia researchers Charles Meslay and Félix Aimé analyzed the malware and proposed two potential disinfection methods.
These included a self-delete command and a more advanced code execution method to clean systems and connected drives. The campaign primarily employed the simpler, less intrusive approach to mitigate risks.
Responding to a public call for assistance, 34 countries requested sinkhole logs to identify compromised networks, while 22 expressed an interest in active disinfection.
Ultimately, disinfection operations were carried out in ten countries under the supervision of the Paris Public Prosecutor’s Office and the French Gendarmerie National Cyber Unit.
Disinfection Interface for Global Use
To streamline operations, Sekoia developed a dedicated disinfection portal in just one week. This platform allowed participating nations to log in, access detailed statistics about infected assets and initiate disinfection campaigns by selecting specific networks or IP ranges.
The process ensured minimal disruption. If an IP address matched predefined criteria, the sinkhole sent a small disinfection payload and logged the operation.
Throughout the campaign, 59,475 payloads were sent to 5539 IP addresses.
Legal and Technical Challenges
While technically straightforward, the campaign underscored significant legal complexities. The active involvement of law enforcement and judicial authorities was crucial to maintaining compliance with international laws.
This collaboration also set a precedent for future disinfection efforts, showcasing the potential of sovereign cybersecurity partnerships.