Researchers uncovers PlugX malware infection process
Palo Alto Networks Unit 42 security researchers investigated a PlugX malware variant that can hide malicious files on removable USB devices and then infect the Windows hosts to which they connect. The operation is in response to a compromise of the Black Basta ransomware.
The malware employs a “novel technique” that allows it to go undetected for longer periods of time and could potentially spread to air-gapped systems. The new PlugX variant is said to be “wormable,” meaning it can infect USB devices and hide itself from the Windows Operating File System.
The threat actor is using the 32-bit version of a Windows debugging tool called ‘x64dbg.exe’ in recent attacks, along with a poisoned version of ‘x32bridge.dll,’ which loads the PlugX payload (x32bridge.dat).
“This PlugX malware also hides attacker files in a USB device with a novel technique, which makes the malicious files only viewable on a *nix OS or by mounting the USB device in a forensic tool,” reads a Unit 42 advisory about the new threat. “Because of this ability to evade detection, the PlugX malware can continue to spread and potentially jump to air-gapped networks.”
However, there is no evidence linking PlugX, a backdoor widely used by several Chinese nation-state groups, or Gootkit to the Black Basta ransomware gang, implying that it was used by other actors. The USB variant of PlugX is notable for using a Unicode character known as non-breaking space (U+00A0) to hide files in a USB device plugged into a workstation.
Finally, a Windows shortcut (.LNK) file created in the flash drive’s root folder is used to execute the malware from the hidden directory. The PlugX sample is tasked with not only installing the malware on the host, but also copying it on any removable device that may be connected to it by hiding it inside a recycle bin folder.
Unit 42 also stated that the team discovered a PlugX variant that can infect USB devices and copy all Adobe PDF and Microsoft Word files from the host. The copies are then placed in an automatically created, hidden folder on the USB device.
The sources for this piece include an article in TheHackerNews.