Experts have discovered a new PlugX sample that uses sneaky methods to infect attached removable USB media devices such as floppy, thumb or flash drives, and any additional systems the USB is later plugged into.
. The methods are used to propagate the malware to additional systems.
The new PlugX wormable variant stays in hidden mode in Windows and victims will not be able to learn about any infection without a forensic tool.
Additional tools spotted in the compromised environment include the Gootkit loader and the Brute Ratel C4 red team framework.
Upon infection, it copies all the Microsoft Word and Adobe PDF documents from the infected machine to a hidden folder on the USB device.
However, researchers could not confirm whether all the tools were used by the Black Basta group, and there is a possibility of the involvement of multiple groups in the attacks.
Technical details
This USB variant uses a specific unicode character, named non-breaking space (U+00A0), to conceal files in a USB device plugged into a workstation.
A Windows shortcut (.LNK) file, created in the root folder of the flash drive, is used to run the malware from the hidden directory.
PlugX is tasked with implanting the malware on the host and copying it on any removable device that could be connected to it by hiding it inside a so-called recycle bin folder.
Whenever the shortcut file is clicked, PlugX launches Windows Explorer and passes the directory path as a parameter. It shows the files on the USB device from the hidden directories and further infects the host with the PlugX malware.
Conclusion
The recent samples imply that hackers are actively developing and deploying PlugX. Moreover, they could turn this tool into a stealthier weapon to steal files from air-gapped machines. Organizations are suggested to have in-depth and multi-layered security defense to protect all end-points.