Analyzing a ransomware attack, Unit 42 found the PlugX malware. This variant first identifies all connected USB removable media devices, such as floppy, thumb, or flash drives, and then infects all inserted media. If an infected USB stick is connected, the infection immediately spreads to all connected USB devices.
Palo Alto Networks Unit 42 released an investigation into tools the team observed responding to a ransomware attack by hacker group Black Basta. During the investigation, Palo Alto Networks identified several tools of interest on victims' machines, including: the GootLoader malware, the Brute Ratel C4 red teaming tool, and an older PlugX malware sample.
Malware infects all USB media
The PlugX malware particularly caught Unit 42's eye, as this variant infects any connected USB removable media devices such as floppy, thumb, or flash drives, as well as any other system to which the USB device is later connected.
This PlugX malware also hides attackers' files in a USB device using a novel technique that works even on the latest Windows operating systems (OS) at the time of writing this post. This means that the malicious files can only be viewed on a Unix-like (*nix) operating system or by mounting the USB device in a forensic tool.
New variant hides infected Office files
In addition, Unit 42 discovered a similar variant of PlugX in VirusTotal with the additional ability to copy all Adobe PDF and Microsoft Word documents from the infected host to the USB device's hidden folder created by the PlugX malware. The discovery of these samples shows that, at least for some technically-savvy attackers, PlugX is still evolving - and that it remains an active threat.
The PlugX malware has been around for over a decade and has been commonly associated with Chinese APT groups in the past. Over the years, other groups of attackers have adopted and deployed this malware, from nation-states to ransomware actors.
findings of the investigation
- This PlugX variant is wormable and infects USB devices in such a way that it hides from the Windows file system. A user would not know that their USB device is infected and might be used for data exfiltration from the network.
- The PlugX malware variant used in this attack infects any connected USB removable media devices such as floppy, thumb, or flash drives, as well as any additional systems to which the USB device is later connected.
- Unit 42 detected a similar variant of PlugX in VirusTotal that infects USB devices and copies all Adobe PDF and Microsoft Word files from the host. These copies are placed in a hidden folder on the USB device created by the malware.
- PlugX is a second-stage implant used not only by some Chinese-origin groups, but also by several cybercriminal groups. It has been around for over a decade and has been observed in some high-profile cyberattacks, including the US government's Office of Personnel Management (OPM) intrusion in 2015.
- Any host infected with this variant of PlugX malware is constantly looking for new removable USB drives to infect. This PlugX malware also hides attacker files in a USB device using a novel technique that ensures that the malicious files can only be viewed on a *nix operating system or by mounting the USB device in a forensic tool. This ability to evade detection allows the PlugX malware to spread further and potentially penetrate eavesdropped networks.
- The Brute Ratel C4 used in this case is the same Badger payload (implant) previously reported by Trend Micro, which also affects the Black Basta ransomware group.
About Palo Alto Networks Palo Alto Networks, the global leader in cybersecurity solutions, is shaping the cloud-based future with technologies that transform the way people and businesses work. Our mission is to be the preferred cybersecurity partner and protect our digital way of life. We help you address the world's biggest security challenges with continuous innovation leveraging the latest breakthroughs in artificial intelligence, analytics, automation, and orchestration. By delivering an integrated platform and empowering a growing ecosystem of partners, we are the leaders in protecting tens of thousands of businesses across clouds, networks and mobile devices. Our vision is a world where every day is safer than the one before.