For security reasons, it is better not to connect a USB stick found on the street to your own computer. Security researchers from Unit 42 (Palo Alto Networks) have now confirmed this again when they came across the USB stick infecting malware PlugX.
If PlugX spreads on a Windows PC, it should automatically attack connected USB data carriers and thus pave the way for other computers. According to the researchers’ report, the malware has been around for more than a decade and is said to have been used in cyber attacks on the US government in 2015, among other things.
Now PlugX has reappeared in two variants. The aim of the Trojan is to execute malicious code via DLL side loading with actually legitimate applications. The second variant is designed to copy PDF and Word documents.
In order to infect systems, PlugX is supposed to hijack trustworthy and digitally signed software. In the current case, this should be done using the open source debugging tool for Windows x64dbg. The malware is said to hook itself into the DLL loading process with the maliciously coded X32bridge.dat file. At the moment, only nine out of 60 scanners are said to start with the online analysis service VirusTotal.
In stealth mode
After infection, the Trojan should infect and hide on connected USB data carriers for further spread. Among other things, the malware uses hidden folders that Windows does not display by default.
The campaign’s masterminds use another camouflage trick: They use certain Unicode characters that prevent Windows Explorer from displaying the data on the USB stick, even if you activate the option to show hidden files in Windows .
The only thing victims see on the stick is a shortcut to the malware called TESTDRIVE and their own data stored on the stick. The researchers explain that the complete data structure only becomes visible with a Unix system.
With the automatic malware installation on connected USB data carriers, PlugX could also sneak into systems that are separated from the Internet (air gap) in critical infrastructures.
To home page
Leave a Reply