The FBI said today it removed Chinese malware from 4,258 U.S. computers and networks by sending commands that forced the malware to use its “self-removal feature.”
The government of the People's Republic of China (PRC) paid the Mustang Panda group to develop a version of the PlugX malware used to infect, control and steal information from victim computers, the FBI said. “Since at least 2014, Mustang Panda hackers subsequently infiltrated thousands of computer systems in campaigns that targeted U.S. victims, as well as European and Asian governments and companies, and Chinese dissident groups,” the FBI said.
The malware has been known for years, but many Windows computers continued to be infected without their owners knowing about it. The FBI learned of a method to remove the malware remotely from a French law enforcement agency, which had gained access to a command-and-control server that could send commands to infected computers.
“When a computer infected with this variant of PlugX malware connects to the Internet, the PlugX malware may send a request to communicate with a command-and-control (“C2″) server, whose IP address is hardcoded into the malware. In response, the C2 server may send various possible commands to the PlugX malware on the victim's computer,” according to an FBI affidavit taken on December 20 and released today.
It turns out that the PlugX malware variant's “native functionality includes a command from a C2 server to remove itself.” This will delete the application, the files created by the malware, and the registry keys used to automatically run the PlugX application when the victim computer is started.
