Unit42 Palo Alto Network has discovered a new version of PlugX, which is able to infect and spread via USB devices, replacing ANDROMEDA and Raspberry Robin.
Malicious files are hidden using a new technique that works even in the latest Windows OS. The user will not know that their USB device is infected or possibly used to steal data from their networks.
Researchers found the PlugX sample while responding to an incident following a Black Basta attack on an unnamed victim.
Other tools found in the compromised environment include the Gootkit malware downloader and the Brute Ratel C4 red team framework.
Black Basta's use of Brute Ratel was previously noted by Trend Micro in October 2022, when the software was delivered as a second-stage payload via a Qakbot phishing campaign.
According to Quadrant Security, the chain of attacks has since been used against a large regional energy company based in the southeastern United States.
As you know, PlugX is a remote access Trojan that was developed and originally used by Chinese companies, but has since been leaked and adopted by many attackers.
However, there is no evidence that PlugX or Gootkit is associated with the Black Basta gang, which suggests that it may have been deployed by other actors.
The USB variant of PlugX is notable because it uses a special Unicode character called a non-breaking space (U+00A0) to hide files on a USB device connected to the workstation.
Ultimately, the Windows shortcut file (.LNK) created in the root folder of the flash drive is used to launch malware from a hidden directory.
At the same time, the PlugX sample not only injects malware on the host, but also copies it to any available removable device, masking it inside the trash folder.
Whenever a file shortcut is clicked from an infected USB device, the malware launches Windows Explorer and passes the directory path as a parameter, which causes files on the USB device from hidden directories to be displayed, as well as infecting the host with PlugX malware.
This method is based on the fact that Windows Explorer does not show hidden items by default. But the trick is that malicious files in the so-called recycle bin are not displayed if this option is enabled.
In fact, this means that fraudulent files can only be viewed on a Unix-like operating system.
Unit 42 also discovered a second version of PlugX, which, in addition to infecting USB devices, additionally copies all Adobe PDF and Microsoft Word files from the host to another hidden folder on the USB device created by malware.
The discovery of new modifications indicates that the development of PlugX is still underway, remaining an active threat, now also for closed networks.
+++++
The forgotten PlugX USB worm has infected millions of machines on its own.
The PlugX USB worm, forgotten by everyone, including its developer, continued to multiply independently for years. According to researchers, malware can remain on thousands or even millions of computers.
PlugX was first mentioned in a Sophos report in 2023. It is generally assumed that the malware was released into the wild in 2019.
At the same time, the authors gave it the functionality of self-distribution and automatic infection of USB media. Of course, when such a drive was connected to a computer, the latter was also infected with malware.
Researchers believe that PlugX was developed in China and used by cyber groups associated with the Ministry of State Security of the People's Republic of China.
The creators of the worm, for an unknown reason, at some point abandoned their brainchild and disabled the only IP address that belonged to the PlugX command center. Thus, no one else controlled the spread of the malware.
Meanwhile, the worm continued to live its own life, quietly distributing its copies to new devices. Experts at Sekoia estimate that the number of affected computers may be in the millions.
Experts even bought the mentioned IP address and connected their own server infrastructure to it, trying to intercept traffic in this way and prevent new infections.
After that, traffic started coming to the Sekoia server, and from 90,000 to 100,000 unique IP addresses were recorded daily. Despite the fact that the number of IP addresses is not directly converted to the number of infected computers, these figures still give an idea of the scale of PlugX infections.
Malicious files are hidden using a new technique that works even in the latest Windows OS. The user will not know that their USB device is infected or possibly used to steal data from their networks.
Researchers found the PlugX sample while responding to an incident following a Black Basta attack on an unnamed victim.
Other tools found in the compromised environment include the Gootkit malware downloader and the Brute Ratel C4 red team framework.
Black Basta's use of Brute Ratel was previously noted by Trend Micro in October 2022, when the software was delivered as a second-stage payload via a Qakbot phishing campaign.
According to Quadrant Security, the chain of attacks has since been used against a large regional energy company based in the southeastern United States.
As you know, PlugX is a remote access Trojan that was developed and originally used by Chinese companies, but has since been leaked and adopted by many attackers.
However, there is no evidence that PlugX or Gootkit is associated with the Black Basta gang, which suggests that it may have been deployed by other actors.
The USB variant of PlugX is notable because it uses a special Unicode character called a non-breaking space (U+00A0) to hide files on a USB device connected to the workstation.
Ultimately, the Windows shortcut file (.LNK) created in the root folder of the flash drive is used to launch malware from a hidden directory.
At the same time, the PlugX sample not only injects malware on the host, but also copies it to any available removable device, masking it inside the trash folder.
Whenever a file shortcut is clicked from an infected USB device, the malware launches Windows Explorer and passes the directory path as a parameter, which causes files on the USB device from hidden directories to be displayed, as well as infecting the host with PlugX malware.
This method is based on the fact that Windows Explorer does not show hidden items by default. But the trick is that malicious files in the so-called recycle bin are not displayed if this option is enabled.
In fact, this means that fraudulent files can only be viewed on a Unix-like operating system.
Unit 42 also discovered a second version of PlugX, which, in addition to infecting USB devices, additionally copies all Adobe PDF and Microsoft Word files from the host to another hidden folder on the USB device created by malware.
The discovery of new modifications indicates that the development of PlugX is still underway, remaining an active threat, now also for closed networks.
+++++
The forgotten PlugX USB worm has infected millions of machines on its own.
The PlugX USB worm, forgotten by everyone, including its developer, continued to multiply independently for years. According to researchers, malware can remain on thousands or even millions of computers.
PlugX was first mentioned in a Sophos report in 2023. It is generally assumed that the malware was released into the wild in 2019.
At the same time, the authors gave it the functionality of self-distribution and automatic infection of USB media. Of course, when such a drive was connected to a computer, the latter was also infected with malware.
Researchers believe that PlugX was developed in China and used by cyber groups associated with the Ministry of State Security of the People's Republic of China.
The creators of the worm, for an unknown reason, at some point abandoned their brainchild and disabled the only IP address that belonged to the PlugX command center. Thus, no one else controlled the spread of the malware.
Meanwhile, the worm continued to live its own life, quietly distributing its copies to new devices. Experts at Sekoia estimate that the number of affected computers may be in the millions.
Experts even bought the mentioned IP address and connected their own server infrastructure to it, trying to intercept traffic in this way and prevent new infections.
After that, traffic started coming to the Sekoia server, and from 90,000 to 100,000 unique IP addresses were recorded daily. Despite the fact that the number of IP addresses is not directly converted to the number of infected computers, these figures still give an idea of the scale of PlugX infections.
