[German]Security researchers from Palo Alto Networks' Unit 42 have observed cyberattacks with new variant of the old known malware. Suspected to originate from China, the PlugX malware has attracted attention because this variant infects all connected USB removable media devices such as floppy, thumb or flash drives, as well as any other systems to which the USB stick is later connected.
Advertising
Palo Alto Networks Unit 42 released this week an investigation of tools the team observed during responding to a ransomware attack by the hacker group Black Basta. In the investigation, Palo Alto Networks identified several tools on victims' machines that were of interest. Among them is the GootLoader malware, the red-teaming tool Brute Ratel C4, and an older PlugX malware sample.
The PlugX malware
The PlugX malware particularly caught Unit 42's eye, as this variant infects all connected USB removable media devices, such as floppy, thumb or flash drives, as well as any other systems to which the USB device is later connected. The highlights of the latest scan include:
- This PlugX variant is worm-capable and infects USB devices in such a way that it hides itself from the Windows file system. A user would not know that his USB device is infected and might be used for data exfiltration from the network.
- The PlugX malware variant used in this attack infects all connected USB removable media devices, such as floppy, thumb or flash drives, as well as any other systems that the USB device is later connected to.
- Unit 42 discovered a similar variant of PlugX in VirusTotal that infects USB devices and copies all Adobe PDF and Microsoft Word files from the host. These copies are placed in a hidden folder on the USB device, which is created by the malware.
- PlugX is a second-stage implant used not only by some Chinese-backed groups, but also by several cybercriminal groups. It has been in circulation for over a decade and has been seen in several high-profile cyberattacks, including the 2015 intrusion into the U.S. government's Office of Personnel Management (OPM).
- Any host infected with this variant of PlugX malware is constantly looking for new removable USB devices to infect. This PlugX malware also hides attacker files in a USB device using a novel technique that ensures that the malicious files can only be viewed on a *nix operating system or by mounting the USB device in a forensic tool. Due to this ability to evade detection, the PlugX malware can spread further and potentially infiltrate intercepted networks.
- The Brute Ratel C4 used in this case is the same badger payload (implant) previously reported by Trend Micro, which also affects the Black Basta ransomware group.
Details on the topic can be read in the blog post Chinese PlugX Malware Hidden in Your USB Devices?
