New variant of PlugX malware hides on USB devices to infect Windows systems

PlugX malware used by cybercriminals to infect new Windows hosts

New variant of PlugX malware hides on USB devices to infect Windows systemsPlugX malware spread on USBs has the potential to infect air-gapped systems

PlugX malware is a well-known threat that has been used in cyber attacks since at least 2008. Initially, it was only used by Chinese hacker groups, but over time it became so widespread that multiple actors adopted it, making it difficult to attribute its use. Recently, security researchers have discovered a variant of the PlugX malware that can hide malicious files on removable USB devices and then infect Windows hosts they connect to, using a “novel technique” that allows it to remain undetected for longer periods and potentially spread to air-gapped systems.

The sample of this variant was found by the Unit 42 team at Palo Alto Networks during a response to a Black Basta ransomware attack that relied on GootLoader and the Brute Ratel post-exploitation toolkit for red-team engagements. The team also discovered a PlugX variant on Virus Total that locates sensitive documents on the compromised system and copies them to a hidden folder on the USB drive.

The internet is changing and evolving, but it might be a bad thing for us and a good thing for these cybercriminals and scammers. Web 3 is coming, and the internet will become a more and more dangerous place because malware creators and malicious actors will change their tactics to affect more parts of it and use the technology to their advantage.

The infection process

The PlugX version that the Unit 42 team encountered[1] uses a Unicode character to create a new directory in detected USB drives, which makes them invisible on Windows Explorer and the command shell, but visible on Linux systems. To achieve code execution of the malware from the hidden directory, a Windows shortcut (.lnk) file is created on the root folder of the USB device. The shortcut path to the malware contains the Unicode whitespace character, which is a space that does not cause a line break but is not visible when viewed via Windows Explorer.

The malware creates a ‘desktop.ini’ file on the hidden directory to specify the LNK file icon on the root folder, making it appear as a USB drive to trick the victim. Meanwhile, a ‘RECYCLER.BIN’ subdirectory acts as a disguise, hosting copies of the malware on the USB device.[2]

Once the victim clicks on the shortcut file on the root folder of the USB device, it executes x32.exe via cmd.exe, resulting in the infection of the host with the PlugX malware. Simultaneously, a new Explorer window will open to show the user’s files on the USB device, making everything appear normal. After PlugX gets on the device, it continually monitors for new USB devices and attempts to infect them on discovery.

PlugX malware might be able to jump to air-gapped networks

The Unit 42 team also discovered a document-stealing variant of the PlugX malware that targets USB drives, but has the added capability of copying PDF and Microsoft Word documents onto a folder in the hidden directory called da520e5. It is unknown how the threat actors retrieve these “locally exfiltrated” files from the USB drive, but physical access might be one of the ways.

The detection rate of this variant of PlugX is relatively low; at the time of writing, only 9 out of 61 products on the Virus Total scanning platform flag the file as malicious. Even more recent samples of the PlugX malware are detected by even fewer antivirus engines on Virus Total.[3] This highlights the need for multiple detection technologies that look for malicious activity generated by a file on the system.

PlugX malware was typically associated with state-backed threat actors, but it can also be purchased on underground markets, and cybercriminals have also used it. With the new development that makes it more difficult to detect and allows it to spread through removable drives, the Unit 42 researchers say that PlugX has the potential to jump to air-gapped networks.

Security measures are a must to protect systems and networks

One of the key ways to protect against the PlugX malware is to avoid clicking on unknown or suspicious files and links, particularly those found on removable USB devices. Additionally, regularly updating your antivirus software and keeping your operating system patched can help to prevent malware from infecting your system.

Another important step is to monitor your network for any unusual or suspicious activity, such as unexpected network traffic or new processes running on your system. This can help to detect the presence of the PlugX malware and take appropriate action to remove it.

Furthermore, it's also a good practice to use endpoint protection solutions that uses a multi-layered approach like behavioral analysis, machine learning, and sandboxing to detect and prevent malware from running on your systems.

In conclusion, the PlugX malware is a sophisticated and highly adaptable threat that has been used by various hacking groups for over a decade. To protect against this threat, it is essential to be vigilant and to take the necessary steps to secure your systems and networks.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions