Cybercrime
,
Fraud Management & Cybercrime
National Police Probe Botnet Campaign That Infected 3,000 Machines
The French government has launched an investigation into a suspected Chinese espionage campaign that infected thousands of networks in France.
See Also: How to Build Your Cyber Recovery Playbook
The Paris Public Prosecutor’s Office on Thursday said it launched a preliminary investigation into a “network of machine zombies,” or botnets, used for suspected espionage purposes. French cybersecurity firm Sekoia uncovered the hacking campaign in 2023.
The botnet campaign pushed out the PlugX remote access Trojan that has infected 3,000 machines in France since 2020. The digital unit of the French National Police is leading efforts to restore the affected devices.
“The disinfection operation was launched on July 18, and will continue for several months,” the Paris Public Prosecutor’s Office said. “A few hours after the start of the process, around a hundred victims have already benefited from this disinfection, mainly in France.”
French authorities also restored devices in Malta, Portugal, Croatia, Slovakia and Austria. “French victims will be individually notified by the National Information Systems Security,” the Prosecutor’s Office said.
PlugX, also known as Destroy RAT and Kaba, has been active since 2008. The malware offers backdoor capabilities, allowing attackers to gain full control of infected devices remotely. The variant has been typically associated with Chinese advanced persistent groups tracked as VioletTyphoon, Mustang Panda and Wicked Panda.
An analysis by Sekoia said the campaign used a previously unseen worm variant of PlugX that it attributed to Chinese APT group Mustang Panda. The campaign, which began in 2020, has been spread using infected flash drives, the company said.
When the victims opened the malicious file within the USB, PlugX copied itself to the host, established persistence and then checked every 30 seconds for new connections, to infect them.
Sekoia estimates the campaign has targeted millions of devices in over 170 countries so far, leading the company to believe the likely motive of the botnet operators is to infect as many victims as possible in multiple countries, as well as to target offline devices.
A Sekoia spokesperson said the company has taken control of the command-and-control server of the botnet campaign. “We developed the disinfection tool that was offered to the police force. It is then the role of each authority to decide and manage the disinfection campaign in their respective country,” the spokesperson told Information Security Media Group.