Threat Intel Solutions

Reset [Blogpost](https://blog.sekoia.io/category/blogpost/ ‘Blogpost’) [Research -& Threat Intelligence](https://blog.sekoia.io/category/research-threat-intelligence/ ‘Research & Threat Intelligence’) PlugX worm disinfection campaign feedbacks==========================================[Botnet](https://blog.sekoia.io/tag/botnet/) [disinfection](https://blog.sekoia.io/tag/disinfection/) [feedback](https://blog.sekoia.io/tag/feedback/) [plugx](https://blog.sekoia.io/tag/plugx/)  [Sekoia TDR](#molongui-disabled-link) December 26 2024 0 Read it later Remove 4 minutes reading Table of contents—————–* [From theory to practice](#h-from-theory-to-practice)* [PlugX worm disinfection campaign results](#h-plugx-worm-disinfection-campaign-results)* [Conclusion](#h-conclusion)In September 2023, **we successfully took ownership of one of the IP addresses used by the PlugX worm**—a variant of PlugX associated with Mustang Panda, which possesses worming capabilities by infecting flash drives. Following this success, we studied the inner workings of this malware to determine whether there was any possibility, by using the access we had gained, to disinfect the thousands of computers making requests to our sinkhole every second.This research resulted in a [**blog post**](https://blog.sekoia.io/unplugging-plugx-sinkholing-the-plugx-usb-worm-botnet/) and a**[talk at BotConf 2024](https://www.youtube.com/watch?v=oega_kLTch0)** , where Charles Meslay and Félix Aimé shared their findings and **two disinfection methods that can be used to remotely clean infected workstations**. The first method involved sending a simple and reliable self-delete command to the compromised workstation. The second method was more intrusive, as it aimed to send and execute specific code to remove PlugX from the workstation and from any connected flash drives, if present.We concluded our blog post with **a call to national CERTs and law enforcement agencies (LEAs) to contact us if they wished to disinfect systems within their countries** , promoting the **concept of sovereign disinfection** and addressing the legal aspects associated with such operations.Following this call, and with the support of the **Paris Public Prosecutor’s Office** and the **French Gendarmerie National Cyber Unit** , **more than twenty countries responded**, pushing us to move from theory to practice. This blogpost aims at showing how it has been done, what we have developped for that and the limits of such process.From theory to practice———————–Creating a disinfection process is somewhat more complex than setting up a simple sinkhole. In our case, **we wanted each country to have the ability to disinfect specific assets**. Therefore, within one week, we developed an ergonomic interface that allows any country to log in, access statistics on compromised assets (via both an API and a graphical user interface), and send a list of the assets to be disinfected.Since each IP address reaching the sinkholed C2 was automatically enriched with its country, autonomous system, and CIDR from the beginning of the sinkholing operation, **we were able to easily show each participant the compromised autonomous systems and IP addresses within their respective countries**.Once this information was in hand, participants in the operation simply had to select specific autonomous systems or, more precisely, provide the application with a CIDR block or an IP address to disinfect in order to start the process. Additionally, we provided countries with the option **to activate a country-wide disinfection operation by simply checking a few checkboxes and pressing a button**.Since all participants wanted to prevent any side effects, **only the first method of disinfection was used during the campaign**. Therefore, technically speaking, the process was straightforward: if an IP address met one of the rules set by the operators, the sinkhole would respond with our disinfection payload, which consisted of just a few bytes. It would also save in a database which IP address received the payload, along with the rule it followed and the associated timestamp.PlugX worm disinfection campaign results—————————————-This disinfection campaign was the first of its kind for us—a proof of concept for **sovereign disinfection**. It enabled us to collaborate actively with various foreign authorities, most of the time under the supervision of the Paris Public Prosecutor’s Office and the French Gendarmerie National Cyber Unit, ensuring reliable and trusted communication with all participants.At the end of the campaign, **34 countries requested simple sinkhole logs** to identify which networks were compromised, **22 countries expressed interest in the disinfection process** , and we were able to establish **a legal framework and conduct disinfection operations for 10 countries**.In total, **59,475 disinfection payloads were sent during the campaign, targeting 5,539 IP addresses**, sometimes hundreds of times to a single IP address (probably related to VPN exit nodes or SAT links). The relatively small number of IP addresses receiving the payloads is not surprising, as the countries requesting disinfection were not the most infected ones and some countries added only specific autonomous systems and/or IP addresses.Conclusion———-Beyond the purely technical aspect, this disinfection campaign presented several legal limitations, which were already detailed in our first blog post. **It would have been impossible to carry out this campaign within a legal framework without the involvement of the Paris Public Prosecutor’s Office and the French Gendarmerie National Cyber Unit.**We remain available to any public or private entity interested in **discussing the technical aspects of this operation in greater detail, including sharing the source code** used for the disinfection portal/process.**Feel free to read other Sekoia.io TDR (Threat Detection -& Research) analysis here :*** [XDR detection engineering at scale: crafting detection rules for SecOps efficiency](https://blog.sekoia.io/xdr-detection-rules-at-scale/)* [Hunting for IoCs: from singles searches to an automated and repeatable process](https://blog.sekoia.io/hunting-for-iocs-from-singles-searches-to-an-automated-and-repeatable-process/)* [Lucky Mouse: Incident Response to Detection Engineering](https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/)* [Adversary infrastructures tracked in 2023](https://blog.sekoia.io/adversary-c2-infrastructures-tracked-in-2023/)* [A war on multiple fronts — the turbulent cybercrime landscape](https://blog.sekoia.io/a-war-on-multiple-fronts-the-turbulent-cybercrime-landscape/)* [Unplugging PlugX: Sinkholing the PlugX USB worm botnet](https://blog.sekoia.io/unplugging-plugx-sinkholing-the-plugx-usb-worm-botnet/)* [Happy YARA Christmas!](https://blog.sekoia.io/happy-yara-christmas/)[](https://www.facebook.com/sharer/sharer.php?u=https://blog.sekoia.io/plugx-worm-disinfection-campaign-feedbacks/ ‘Share this post on Facebook’) [](https://twitter.com/share?text=PlugX%20worm%20disinfection%20campaign%20feedbacks&url=https://blog.sekoia.io/plugx-worm-disinfection-campaign-feedbacks/ ‘Share this post on Twitter’) [](https://www.linkedin.com/sharing/share-offsite/?url=https://blog.sekoia.io/plugx-worm-disinfection-campaign-feedbacks/ ‘Share this post on LinkedIn’) [](https://www.reddit.com/submit?url=https://blog.sekoia.io/plugx-worm-disinfection-campaign-feedbacks/&title=PlugX%20worm%20disinfection%20campaign%20feedbacks ‘Share this post on Reddit’) [](mailto:?subject=PlugX%20worm%20disinfection%20campaign%20feedbacks&body=PlugX%20worm%20disinfection%20campaign%20feedbacks%0D%0AIn%20September%202023%2C%20we%20successfully%20took%20ownership%20of%20one%20of%20the%20IP%20addresses%20used%20by%20the%20PlugX%20worm%E2%80%94a%20variant%20of%20PlugX%20associated%20with%20Mustang%20Panda%2C%20which%20possesses%20worming%20capabilities%20by%20infecting%20flash%20drives.%20Following%20this%20success%2C%20we%20studied%20the%20inner%20workings%20of%20this%20malware%20to%20determine%20whether%20there%20was%20any%20possibility%2C%20by%20using%20the%20access%20%5B%26hellip%3B%5D%0D%0A%0D%0ARead%20more%20at%3A%20https%3A%2F%2Fblog.sekoia.io%2Fplugx-worm-disinfection-campaign-feedbacks%2F ‘Send this post via email’) Share  [Sekoia TDR](#molongui-disabled-link) TDR is the Sekoia Threat Detection -& Research team. Created in 2020, TDR provides exclusive Threat Intelligence, including fresh and contextualised IOCs and threat reports for the Sekoia SOC Platform TDR is also responsible for producing detection materials through a built-in Sigma, Sigma Correlation and Anomaly rules catalogue. TDR is a team of multidisciplinary and passionate cybersecurity experts, including security researchers, detection engineers, reverse engineers, and technical and strategic threat intelligence analysts. Threat Intelligence analysts and researchers are looking at state-sponsored -& cybercrime threats from a strategic to a technical perspective to track, hunt and detect adversaries. Detection engineers focus on creating and maintaining high-quality detection rules to detect the TTPs most widely exploited by adversaries. TDR experts regularly share their analysis and discoveries with the community through our research blog, GitHub repository or X / Twitter account. You may also come across some of our analysts and experts at international conferences (such as BotConf, Virus Bulletin, CoRIIN and many others), where they present the results of their research work and investigations. Share this post: [](https://www.facebook.com/sharer/sharer.php?u=https://blog.sekoia.io/plugx-worm-disinfection-campaign-feedbacks/ ‘Share this post on Facebook’) [](https://twitter.com/share?text=PlugX%20worm%20disinfection%20campaign%20feedbacks&url=https://blog.sekoia.io/plugx-worm-disinfection-campaign-feedbacks/ ‘Share this post on Twitter’) [](https://www.linkedin.com/sharing/share-offsite/?url=https://blog.sekoia.io/plugx-worm-disinfection-campaign-feedbacks/ ‘Share this post on Twitter’) [](https://www.reddit.com/submit?url=https://blog.sekoia.io/plugx-worm-disinfection-campaign-feedbacks/&title=PlugX%20worm%20disinfection%20campaign%20feedbacks ‘Share this post on Reddit’) [](whatsapp://send?text=PlugX%20worm%20disinfection%20campaign%20feedbacks%20-%20https://blog.sekoia.io/plugx-worm-disinfection-campaign-feedbacks/ ‘Share this post on WhatsApp’) [](tg://msg_url?url=https://blog.sekoia.io/plugx-worm-disinfection-campaign-feedbacks/&text=PlugX%20worm%20disinfection%20campaign%20feedbacks ‘Share this post on Telegram’) [](mailto:?subject=PlugX%20worm%20disinfection%20campaign%20feedbacks&body=PlugX%20worm%20disinfection%20campaign%20feedbacks%0D%0AIn%20September%202023%2C%20we%20successfully%20took%20ownership%20of%20one%20of%20the%20IP%20addresses%20used%20by%20the%20PlugX%20worm%E2%80%94a%20variant%20of%20PlugX%20associated%20with%20Mustang%20Panda%2C%20which%20possesses%20worming%20capabilities%20by%20infecting%20flash%20drives.%20Following%20this%20success%2C%20we%20studied%20the%20inner%20workings%20of%20this%20malware%20to%20determine%20whether%20there%20was%20any%20possibility%2C%20by%20using%20the%20access%20%5B%26hellip%3B%5D%0D%0A%0D%0ARead%20more%20at%3A%20https%3A%2F%2Fblog.sekoia.io%2Fplugx-worm-disinfection-campaign-feedbacks%2F ‘Send this post via email’)  [Sekoia TDR](#molongui-disabled-link) TDR is the Sekoia Threat Detection -& Research team. Created in 2020, TDR provides exclusive Threat Intelligence, including fresh and contextualised IOCs and threat reports for the Sekoia SOC Platform TDR is also responsible for producing detection materials through a built-in Sigma, Sigma Correlation and Anomaly rules catalogue. TDR is a team of multidisciplinary and passionate cybersecurity experts, including security researchers, detection engineers, reverse engineers, and technical and strategic threat intelligence analysts. Threat Intelligence analysts and researchers are looking at state-sponsored -& cybercrime threats from a strategic to a technical perspective to track, hunt and detect adversaries. Detection engineers focus on creating and maintaining high-quality detection rules to detect the TTPs most widely exploited by adversaries. TDR experts regularly share their analysis and discoveries with the community through our research blog, GitHub repository or X / Twitter account. You may also come across some of our analysts and experts at international conferences (such as BotConf, Virus Bulletin, CoRIIN and many others), where they present the results of their research work and investigations. ### What’s next[](https://blog.sekoia.io/happy-yara-christmas/) [Happy YARA Christmas!](https://blog.sekoia.io/happy-yara-christmas/)———————————————————————In the ever-evolving landscape of cybersecurity, effective threat detection is paramount. Since its creation, YARA stands out as a…  [Sekoia TDR](#molongui-disabled-link) [](https://blog.sekoia.io/detection-engineering-at-scale-one-step-closer-part-one/) [Detection engineering at scale: one step closer (part one)](https://blog.sekoia.io/detection-engineering-at-scale-one-step-closer-part-one/)———————————————————————————————————————————————Security Operations Center (SOC) and Detection Engineering teams frequently encounter challenges in both creating and maintaining detection rules, along…  [Guillaume C., Erwan Chevalier and Sekoia TDR](#molongui-disabled-link) [](https://blog.sekoia.io/the-story-behind-sekoia-io-custom-integrations/) [The story behind Sekoia.io Custom Integrations](https://blog.sekoia.io/the-story-behind-sekoia-io-custom-integrations/)————————————————————————————————————————Since launching in 2017, Sekoia.io has made a name for itself with its groundbreaking vision in threat detection, leveraging…  [Julien Cuny and Khaoula Ettaleb](#molongui-disabled-link) ### Trending topics[](https://blog.sekoia.io/tag/soc/) [SOC](https://blog.sekoia.io/tag/soc/)————————————–[](https://blog.sekoia.io/tag/ransomware/) [Ransomware](https://blog.sekoia.io/tag/ransomware/)—————————————————-[](https://blog.sekoia.io/tag/soc-platform/) [SOC platform](https://blog.sekoia.io/tag/soc-platform/)——————————————————– * [APT](https://blog.sekoia.io/tag/apt/)* [Cyber Threat Intelligence](https://blog.sekoia.io/tag/cti/)* [Cybercrime](https://blog.sekoia.io/tag/cybercrime/)* [Detection](https://blog.sekoia.io/tag/detection/)* [Infostealer](https://blog.sekoia.io/tag/stealer/)* [Malware](https://blog.sekoia.io/tag/malware/)* [Ransomware](https://blog.sekoia.io/tag/ransomware/)* [XDR](https://blog.sekoia.io/tag/xdr/)* [Discover Sekoia SOC platform](https://www.sekoia.io/en/you-are/)* [Stay tuned](https://www.sekoia.io/en/newsletter/)

Related Tags:
NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 92 – Public Administration

NAICS: 922 – Justice

Public Order

Safety Activities

Thoper

Kaba

Korplug

TVT

Sogu

PlugX

Associated Indicators: