Security researchers have analyzed a variant of PlugX malware that can hide malicious files on removable USB devices and then infect Windows hosts they connect to.

The malware uses what the researchers call “a new technique” that allows it to remain undetected for longer periods of time and could potentially spread to isolated systems.

A sample of this PlugX variant was found by the Palo Alto Network Unit 42 team during a response to a Black Basta ransomware attack that relied on GootLoader and the Brute Honey Badger post-exploitation toolkit for red team engagements.

Looking for similar samples, Unit 42 also discovered a PlugX variant on Virus Total that locates sensitive documents on the compromised system and copies them to a hidden folder on the USB drive.

Hide PlugX in USB Drives

PlugX is an old malware that has been used since at least 2008, initially only by Chinese hacker groups – some of them keep using it with digitally signed software for sideloading encrypted payloads.

Over time, however, it has become so prevalent that several actors adopted in attacks, which makes attribution of its use a very difficult task.

In the recent attacks observed by Unit 42, the threat actor uses a 32-bit version of a Windows debugging tool named “x64dbg.exe” along with a poisoned version of “x32bridge.dll”, which loads the PlugX payload (x32bridge.that).

Diagram of the chain of infection
Diagram of the chain of infection (Unit 42)

At the time of writing, most antivirus engines on the Virus Total scanning platform do not flag the file as malicious, with the detection rate being only 9 out of 61 products.

VirusTotal scan results
VirusTotal scan results (

Newer samples of the PlugX malware are detected by even fewer antivirus engines on Virus Total. One of them, added in august last year, is currently flagged as a threat by only three products on the platform. Obviously, live security guards rely on several detection technologies that look for malicious activity generated by a file on the system.

The researchers explain that the version of PlugX they encountered uses a Unicode character to create a new directory in detected USB drives, which makes them invisible to Windows Explorer and the command shell. These directories are visible on Linux but hidden on Windows systems.

“To get the malware code to run from the hidden directory, a Windows shortcut file (.lnk) is created in the root folder of the USB device,” says Unit 42.

“The shortcut path to the malware contains the Unicode whitespace character, which is a space that does not cause a line break but is not visible when viewed through Windows Explorer” – Palo Alto Networks Unit 42

The malware creates a “desktop.ini” file in the hidden directory to specify the icon of the LNK file in the root folder, making it appear as a USB drive to trick the victim. Meanwhile, a “RECYCLER.BIN” subdirectory acts as a disguise, harboring copies of the malware on the USB device.

Shortcut file properties
Shortcut file properties (Unit 42)

This technique was seen in an old version of PlugX analyzed by Sophos researchers end of 2020, although the report focuses on sideloading DLLs as a means of executing malicious code.

The victim clicks on the shortcut file in the root folder of the USB device, which executes x32.exe through cmd.exe, causing PlugX malware to infect the host.

Simultaneously, a new explorer window will open to show the user’s files on the USB device, which will make everything normal.

Once PlugX is installed on the device, it continuously monitors new USB devices and attempts to infect them upon discovery.

Comparison Between Clean and Infected USB Drives
Comparison Between Clean and Infected USB Drives (Unit 42)

During their research, the Unit 42 team also discovered a document-stealing variant of the PlugX malware that also targets USB drives, but has the added ability to copy PDF and Microsoft Word documents to a folder on the hidden directory called da520e5.

It is unknown how the threat actors recover these “locally exfiltrated” files from the USB drive, but physical access could be one of the ways.

While PlugX was usually associated with state-backed threat actors, the malware can be purchased from underground markets and cybercriminals have also used it.

With the new development making it harder to detect and allowing it to spread via removable drives, the Unit 42 researchers say PlugX has the potential to make the jump to isolated networks.

Source link