PlugX Malware Takedown and Implications

What Happened?

The Chinese-based hacking group “Mustang Panda” recently deployed a new variant of the PlugX style malware. However, PlugX is nothing new. In fact, PlugX dates back to 2008! Typically, PlugX infections originate from USBs in orchestrated social engineering operations where a malicious drive is left near the target company. A curious employee then finds and plugs the USB into their computer. Once attached to a device, the malware payload activates, rapidly infecting all other computer-attached media.

Mustang Panda Avatar. Source: Crowdstrike

What makes Mustang Panda’s PlugX virulent is the payload. Their enhanced version of the malware establishes persistence, deploys a reverse shell, and acts as a remote access trojan. Once on a host, the malware installs three disguised system files which allows threat actors to capture data from the computer.

PlugX Disguised Files. Source: Palo Alto Networks

The FBI and Sekoia.io collaborated to trace the IP address PlugX used to communicate with its master server. Authorities then seized the domain, allowing them to control all infected hosts. The FBI then focused its efforts on all domestically infected hosts, obtaining nine warrants to work with ISPs and remotely delete the malware.

Implications of Remote Deletion

The FBI’s decision to remotely delete the PlugX malware from infected hosts did reduce the immediate threat of espionage. However, such interventions raise questions regarding user privacy and whether ISPs should allow law enforcement to act without informing the victims. Even though the remote deletion was for malware, the victims were not informed until after the deletion took place for the FBI to access the malware remotely. They decided that not warning users would avoid “premature disclosure” and prevent hackers from altering the malware before its removal. For ISPs to allow access to personal computers without prior notice is certainly a major concern for privacy.