Security researchers have analyzed a variant of the PlugX malware that can hide malicious files on removable USB devices and then infect the Windows hosts they connect to.
The malware uses what researchers call “a novel technique” that allows it to remain undetected for longer periods and could potentially spread to air-gapped systems.
A sample of this PlugX variant was found by Palo Alto Network’s Unit 42 team during a response to a Black Basta ransomware attack that relied on GootLoader and the Brute Ratel post-exploitation toolkit for red-team engagements.
Looking for similar samples, Unit 42 also discovered a PlugX variant on Virus Total that locates sensitive documents on the compromised system and copies them to a hidden folder on the USB drive.
Hidding PlugX in USB drives
PlugX is an old piece of malware that has been used since at least 2008, initially only by Chinese hacker groups – some of them continue to use it with digitally signed software to side-load encrypted payloads.
Over time, however, it became so widespread that multiple actors adopted it in attacks, making attribution for its use a very challenging task.
In the recent attacks that Unit 42 observed, the threat actor is using the 32-bit version of a Windows debugging tool named ‘x64dbg.exe’ along with a poisoned version of ‘x32bridge.dll,’ which loads the PlugX payload (x32bridge.dat).
At the time of writing, most antivirus engines on the Virus Total scanning platform don’t flag the file as malicious, the detection rate being of just 9 out of 61 products.
More recent samples of the PlugX malware are detected by even fewer antivirus engines on Virus Total. One of them, added in August last year, is currently flagged as a threat by just three products on the platform. Obviously, live security agents rely on multiple detection technologies that look for malicious activity generated by a file on the system.
The researchers explain that the PlugX version they encountered uses a Unicode character to create a new directory in detected USB drives, which makes them invisible on Windows Explorer and the command shell. These directories are visible on Linux but concealed on Windows systems.
“To achieve code execution of the malware from the hidden directory, a Windows shortcut (.lnk) file is created on the root folder of the USB device,” Unit 42 says.
“The shortcut path to the malware contains the Unicode whitespace character, which is a space that does not cause a line break but is not visible when viewed via Windows Explorer” – Palo Alto Networks Unit 42
The malware creates a ‘desktop.ini’ file on the hidden directory to specify the LNK file icon on the root folder, making it appear as a USB drive to trick the victim. Meanwhile, a ‘RECYCLER.BIN’ subdirectory acts as a disguise, hosting copies of the malware on the USB device.
This technique has been seen in an older version of PlugX analyzed by Sophos researchers in late 2020, although the focus of the report was on the DLL side-loading as a means to execute malicious code.
The victim clicks on the shortcut file on the root folder of the USB device, which executes x32.exe via cmd.exe, resulting in the infection of the host with the PlugX malware.
Simultaneously, a new Explorer window will open to show the user’s files on the USB device, making everything appear normal.
After PlugX gets on the device, it continually monitors for new USB devices and attempts to infect them on discovery.
During their research, the Unit 42 team has also discovered a document-stealing variant of the PlugX malware that targets USB drives, too, but has the added capability of copying PDF and Microsoft Word documents onto a folder in the hidden directory called da520e5.
It is unknown how the threat actors retrieve these “locally exfiltrated” files from the USB drive, but physical access might be one of the ways.
While PlugX was typically associated with state-backed threat actors, the malware can be purchased on underground markets and cybercriminals have also used it.
With the new development that makes it more difficult to detect and allows it to spread through removable drives, Unit 42 researchers say that PlugX has the potential to jump to air-gapped networks.