PlugX Variant Uncovered: Document-Stealing Malware Targets USB Drives

by | Jan 30, 2023 | News

PlugX malware variant usb windows

Post Views: 259

Premium Content

Patreon

Subscribe to Patreon to watch this episode.

Reading Time: 3 Minutes

A new variant of the PlugX malware has been uncovered by security researchers, which has the ability to hide malicious files on removable USB devices and infect the Windows hosts they connect to.

 

The malware remains undetected for longer periods by using a “novel technique” and has the potential to spread to air-gapped systems. The sample was discovered during a response to a Black Basta ransomware attack and analyzed by the Unit 42 team at Palo Alto Networks.

The new variant of PlugX was found to locate sensitive documents on the compromised system and copy them to a hidden folder on the USB drive. PlugX is an old piece of malware that has been used since 2008 and has become widespread, making attribution for its use a difficult task.

In the recent attacks, the threat actor was using a Windows debugging tool named ‘x64dbg.exe’ along with a poisoned version of ‘x32bridge.dll’, which loads the PlugX payload.

See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses

Document-stealing variant of PlugX

The researchers found that the new variant uses a Unicode character to create a new directory in detected USB drives, making it invisible on Windows Explorer and the command shell. To achieve code execution, a Windows shortcut file is created on the root folder of the USB device, which executes x32.exe via cmd.exe and infects the host with the PlugX malware. The malware continually monitors for new USB devices and attempts to infect them upon discovery.

A document-stealing variant of the PlugX malware was also discovered, which targets USB drives and has the ability to copy PDF and Microsoft Word documents onto a folder in the hidden directory. It is unknown how the threat actors retrieve these files, but physical access might be one of the ways.

Trending: How to Exploit “improper error handling” in Web Applications

Trending: Offensive Security Tool: XSSRocket

PlugX available in underground markets

While PlugX was originally associated with state-backed threat actors, it can now be purchased on underground markets and has been used by cybercriminals as well. With the new development that makes it more difficult to detect and allows it to spread through removable drives, the Unit 42 researchers warn that PlugX has the potential to jump to air-gapped networks. 

Trending: Cisco VPN Routers: 19,000 Devices Left Exposed to Remote Command Execution Exploit Chain

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This