“This PlugX variant is wormable and infects USB devices in such a way that it conceals itself from the Windows operating file system,” Palo Alto Networks Unit 42 researchers Mike Harbison and Jen Miller-Osborn said. “A user would not know their USB device is infected or possibly used to exfiltrate data out of their networks.”
The cybersecurity company said it uncovered the artifact during an incident response effort following a Black Basta ransomware attack against an unnamed victim. Other tools discovered in the compromised environment include the Gootkit malware loader and the Brute Ratel C4 red team framework.
The use of Brute Ratel by the Black Basta group was previously highlighted by Trend Micro in October 2022, with the software delivered as a second-stage payload by means of a Qakbot phishing campaign. The attack chain has since been used against a large, regional energy outfit based in the southeastern U.S., according to Quadrant Security.
However, there is no evidence that ties PlugX, a backdoor extensively shared across several Chinese nation-state groups, or Gootkit to the Black Basta ransomware gang, suggesting that other actors may have deployed it.
The USB variant of PlugX is notable for the fact that it uses a particular Unicode character called non-breaking space (U+00A0) to hide files in a USB device plugged into a workstation.
“The whitespace character prevents the Windows operating system from rendering the directory name, concealing it rather than leaving a nameless folder in Explorer,” the researchers said, explaining the novel technique.
A Windows shortcut (.LNK) file created in the root folder of the flash drive is used to execute the malware from the hidden directory. The PlugX sample is not only tasked with implanting the malware on the host, but also copying it on any removable device that may be connected to it by camouflaging it inside a recycle bin folder.
The shortcut file, for its part, carries the same name as that of the USB device and appears as a drive icon, with the existing files or directories on the root of the removable device moved to a hidden folder created inside the “shortcut” folder.
“Whenever the shortcut file from the infected USB device is clicked, the PlugX malware launches Windows Explorer and passes the directory path as a parameter,” Unit 42 said. “This then displays the files on the USB device from within the hidden directories and also infects the host with the PlugX malware.”
The technique banks on the fact that Windows File Explorer (previously Windows Explorer) by default does not show hidden items. But the clever twist here is that the malicious files within the so-called recycle bin do not get displayed when with the setting enabled.
This effectively means that the rogue files can only be viewed on a Unix-like operating system like Ubuntu or by mounting the USB device in a forensic tool.
“Once a USB device is discovered and infected, any new files written to the USB device root folder post-infection are moved to the hidden folder within the USB device,” the researchers said. “Since the Windows shortcut file resembles that of a USB device and the malware displays the victim’s files, they unwittingly continue to spread the PlugX malware.”
Unit 42 said it also discovered a second variant of PlugX that, in addition to infecting USB devices, further copies all Adobe PDF and Microsoft Word files from the host to another hidden folder on the USB device created by the malware.
The use of USB drives to exfiltrate specific files of interest from its targets indicates an attempt on part of the threat actors to jump over air-gapped networks.
With the latest development, PlugX joins the ranks of other malware families such as ANDROMEDA and Raspberry Robin that have added the capability to spread via infected USB drives.
“The discovery of these samples indicates PlugX development is still alive and well among at least some technically skilled attackers, and it remains an active threat,” the researchers concluded.
Get Involved & Participate!