HQ/EMEAFind out how we can help your business
The newly discovered PlugX sample could use elusive strategies to infect attached thumb or flash drives, removable USB devices like floppy, and any other systems for which the USB is later inserted.
Based on the report, this new sample could allow attackers to quickly propagate their malware strains to numerous systems.
Researchers stumbled across this new PlugX sample while analysing a separate attack.
According to investigations, the researchers discovered the PlugX sample while operating an incident response on a recent Black Basta ransomware campaign.
This new wormable variant remains hidden in Windows, and infected victims could not identify or know any trace of it without forensic analysis or tools. Furthermore, the researchers have also identified additional tools in the infected infrastructure, such as the Brute Ratel C4 red team framework and the Gootkit loader.
The malware duplicates all the MS Word and Adobe PDF documents from the infected machine upon infection. The actors will then send the copied files to a hidden folder on a USB device.
Unfortunately, the analysts could not verify if the ALPHV group used all the tools. Moreover, there could be an instance where multiple groups are involved in the campaign.
Researchers stated that the USB variant utilises a Unicode character called “non-breaking space (U+00A0) to hide files in a USB device attached to a workstation. Subsequently, a Windows [.]lnk file will be created by the malware in the root folder of the compromised flash drive.
This PlugX variant will implant the malware on the host and duplicate it on any removable device that users within an infected system could identify.
PlugX will launch Windows Explorer and passes the directory path as a parameter whenever a target accesses the shortcut files. It will then show the files on the USB device from the hidden directories and further compromise the host with the new malware.
Cybersecurity experts claimed that the recent samples of PlugX sample show that the hacker is actively improving and deploying PlugX. In addition, they could make their new tool a more elusive weapon that could steal files from air-gapped devices.
