PlugX Malware Hides on Removable USB Devices to Infect Windows Machine

An investigation by cyber security experts at Palo Alto Network’s Unit 42 team recently revealed that a variation of PlugX malware has the ability to conceal harmful files on USB drives and subsequently infect Windows systems upon connection.

A new method employed by the malware, described by researchers as “a novel technique,” enables extended stealth and has the potential to infiltrate even isolated networks.

During a response to a Black Basta ransomware incident, the Unit 42 team of Palo Alto Networks stumbled upon an instance of the PlugX variation. 

The malware in question was observed utilizing GootLoader and Brute Ratel, both of which are tools regularly employed in red-team operations for post-exploitation activities.

Unit 42, in their quest to find similar samples, stumbled upon a variation of PlugX on VirusTotal. This variant of PlugX is equipped with the functionality to scan the affected system for confidential documents and on the USB drive subsequently transfer them to a secret folder.

PlugX Malware Infection Chain

PlugX is a well-established form of malware that has been in circulation since 2008, originally employed by Chinese hacking groups.

Although this malware has been around since 2008, some hacking groups continue to use it today, often employing digitally signed software to discreetly deliver payloads that are encrypted.

As the years went by, the use of PlugX expanded, and it became popular among multiple malicious actors, making it difficult to trace the origin of an attack.

Apart from this, the attacker appears to be utilizing a 32-bit version of a Windows debugging tool known as ‘x64dbg.exe’ in the current attack campaigns.

They are also using a tampered version of ‘x32bridge.dll’ to load the PlugX payload (x32bridge.dat) as a part of the attack campaign.

Malware Execution on Windows Machine

As the malware evolves, the detection rate by antivirus engines on VirusTotal seems to be decreasing for the more recent versions of PlugX.

Specifically, one sample added in August of the previous year has only been identified as a threat by three products on the VirusTotal platform as of now.

The version of PlugX the researchers have come across creates a new folder in detected USB drives by using a Unicode character. As a result of this technique, in both Windows Explorer and the command shell this new directory becomes undetectable.

Linux systems have these directories visible while Windows systems do not have them visible. A Windows shortcut (.lnk) file is created on the root folder of the USB device, in order to execute the malware code from the concealed directory.

During the execution of the malware, a ‘desktop.ini’ file is created in a hidden directory that is used to set the icon for the LNK file in the root directory, making the victim believe that the file is a USB drive, which is actually a threat.

The malware creates a ‘RECYCLER.BIN’ subdirectory on the USB device which acts as a mask and hosts the copies of the malware. In late 2020, Sophos researchers discovered that an older version of PlugX was used to carry out this kind of technique and attack.

In late 2020, Sophos researchers discovered that an older version of PlugX was used to carry out this kind of attack.

Once the unsuspecting victim clicks on the shortcut file located in the root folder of the USB device, it triggers the execution of x32.exe via cmd.exe, ultimately leading to the host being infected with the PlugX malware.

When the PlugX malware has infiltrated the device once, it actively searches for new USB devices and attempts to spread itself to them upon detection.

The researchers from Unit 42 have identified a variant of PlugX malware that not only infects USB drives but also targets specific file types such as PDF and Microsoft Word documents, copying them to a folder named “da520e5” within a hidden directory.

The PlugX malware has been in circulation for over a decade and was previously heavily linked to Chinese state-sponsored hacking groups.

It has become increasingly popular among other threat groups, including nation-states, cybercrime groups, as well as ransomware authors, over the years.