The scam of a USB stick with malware, which was thought to be outdated for a long time, has actually been pulled out of the cybercrime box again. A new variant of the well-known PlugX worm appeared in Nigeria, Ghana, Zimbabwe and Mongolia and is still migrating.
16.000 miles apart are the current outbreaks of a new species of PlugX USB worm: after first appearing in Papua New Guinea in August 2022, infections have been popping up in Ghana, Mongolia, Zimbabwe and Nigeria.
This is how the new version of the worm works
The new version, detected by Sophos X-Ops, spreads via USB drives and uses a legitimate executable file, which it injects onto the target network. It then hides in a fake directory called "RECYLER.BIN" which is associated with the real Windows Recycle Bin thanks to an additional disguise provided by Windows cyber criminals. The worm then copies files from the infected network to the USB drive.
Global comeback of the USB worm?
USB malware distribution, long believed to be obsolete, cannot be killed: Sophos had already noticed an accumulation of this activity last year. The PlugX worm has been up to mischief since at least 2008. In the security scene, its origin is unanimously attributed to the MustangPanda hacker group, an attacker gang associated with Chinese, state-sponsored cyber espionage activity.
Gabor Szappanos, Threat Research Director, Sophos, on the USB worm revival: “In November last year, we reported on various concentrations of active hostile activity against government entities in Southeast Asia, which also used this retro method via USB drives. The worm eventually surfaced thousands of miles away in Africa a month later. Now this renewed accumulation of USB worm activity spans three continents.
USB often no longer in the security eye
We don't consider removable media to be particularly mobile compared to web-based attacks, but this proliferation method has proven to be very effective in these parts of the world. There are numerous players with very different interests who make use of the advantages of a USB stick, but it seems to us that the MustangPanda group is the mastermind behind it.
It may be too early to announce a comeback for the USB worm, but it's certainly not obsolete technology from ten or twenty years ago. Some well-known threat actors continue to take advantage of USB to proliferate their malware.”
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.