WisePlant – A WiseGroup Company
Researchers Discover New PlugX Malware Variant Spreading via Removable USB Devices 1

Researchers Discover New PlugX Malware Variant Spreading via Removable USB Devices

PlugX: An Overview of the Malicious Malware Threat

PlugX is a malicious malware threat that has been active since 2008. It is a Remote Access Trojan (RAT) that is used to gain access to a computer system without the user’s knowledge or permission. PlugX is primarily used to steal confidential information, such as passwords, financial data, and other sensitive information.

PlugX is spread through malicious emails, malicious websites, and malicious software downloads. It is also spread through malicious links on social media sites. Once installed, PlugX can be used to gain access to a computer system and execute malicious code. It can also be used to steal data, modify system settings, and launch other malicious programs.

PlugX is difficult to detect and remove. It is designed to evade detection by antivirus software and other security measures. It can also be used to disable security measures, such as firewalls and antivirus software.

PlugX is a serious threat to computer systems and networks. It can be used to steal confidential information, modify system settings, and launch other malicious programs. It is important to take steps to protect your computer system from PlugX and other malicious malware threats. This includes keeping your operating system and software up to date, using strong passwords, and avoiding suspicious websites and emails.


PlugX is a malicious software (malware) that is used to gain unauthorized access to a computer system. It is a type of Remote Access Trojan (RAT) that is used to steal confidential information, such as passwords, financial data, and other sensitive information. PlugX is typically spread through malicious email attachments, malicious websites, and other malicious software. It is also known as Korplug, Sogu, and Kaba. PlugX is a highly sophisticated malware that is difficult to detect and remove. It has been used in targeted attacks against government, military, and corporate networks.

As it was originally reported by Unit42. See source Link.

“This PlugX variant is wormable and infects USB devices in such a way that it conceals itself from the Windows operating file system,” Palo Alto Networks Unit 42 researchers Mike Harbison and Jen Miller-Osborn said. “A user would not know their USB device is infected or possibly used to exfiltrate data out of their networks.”

The cybersecurity company said it uncovered the artifact during an incident response effort following a Black Basta ransomware attack against an unnamed victim. Other tools discovered in the compromised environment include the Gootkit malware loader and the Brute Ratel C4 red team framework.

The use of Brute Ratel by the Black Basta group was previously highlighted by Trend Micro in October 2022, with the software delivered as a second-stage payload employing a Qakbot phishing campaign. The attack chain has since been used against a large, regional energy outfit based in the southeastern U.S., according to Quadrant Security.

However, there is no evidence that ties PlugX, a backdoor extensively shared across several Chinese nation-state groups, or Gootkit to the Black Basta ransomware gang, suggesting that other actors may have deployed it.

The USB variant of PlugX is notable for the fact that it uses a particular Unicode character called non-breaking space (U+00A0) to hide files in a USB device plugged into a workstation.

“The whitespace character prevents the Windows operating system from rendering the directory name, concealing it rather than leaving a nameless folder in Explorer,” the researchers said, explaining the novel technique.

A Windows shortcut (.LNK) file created in the root folder of the flash drive is used to execute the malware from the hidden directory. The PlugX sample is not only tasked with implanting the malware on the host, but also copying it on any removable device that may be connected to it by camouflaging it inside a recycle bin folder.

PlugX Malware

The shortcut file, for its part, carries the same name as that of the USB device and appears as a drive icon, with the existing files or directories on the root of the removable device moved to a hidden folder created inside the “shortcut” folder.

“Whenever the shortcut file from the infected USB device is clicked, the PlugX malware launches Windows Explorer and passes the directory path as a parameter,” Unit 42 said. “This then displays the files on the USB device from within the hidden directories and also infects the host with the PlugX malware.”

The technique banks on the fact that Windows File Explorer (previously Windows Explorer) by default does not show hidden items. But the clever twist here is that the malicious files within the so-called recycle bin do not get displayed when with the setting enabled.

This effectively means that the rogue files can only be viewed on a Unix-like operating system like Ubuntu or by mounting the USB device in a forensic tool.

“Once a USB device is discovered and infected, any new files written to the USB device root folder post-infection are moved to the hidden folder within the USB device,” the researchers said. “Since the Windows shortcut file resembles that of a USB device and the malware displays the victim’s files, they unwittingly continue to spread the PlugX malware.”

Unit 42 said it also discovered a second variant of PlugX that, in addition to infecting USB devices, further copies all Adobe PDF and Microsoft Word files from the host to another hidden folder on the USB device created by the malware.

The use of USB drives to exfiltrate specific files of interest from its targets indicates an attempt for the threat actors to jump over air-gapped networks.

With the latest development, PlugX joins the ranks of other malware families such as ANDROMEDA and Raspberry Robin that have added the capability to spread via infected USB drives.

“The discovery of these samples indicates PlugX development is still alive and well among at least some technically skilled attackers, and it remains an active threat,” the researchers concluded.


In conclusion, PlugX malware is a dangerous and sophisticated form of malware that is capable of stealing data, executing malicious code, and allowing remote access to an infected system. It is important to be aware of the potential risks posed by PlugX malware and to take steps to protect your system from infection. By keeping your system up to date with the latest security patches, using strong passwords, and avoiding suspicious links and downloads, you can help protect yourself from PlugX malware.

About the author: Eduardo Kando Verified Member WiseGroup Manager

Get Involved & Participate!

The moment is now!
The experience meets opportunity!


No comments yet