PlugX Malware Hides on Removable USB Devices to Infect Windows Machine

An investigation by cyber security experts at Palo Alto Network’s Unit 42 team recently revealed that a variation of PlugX malware has the ability to conceal harmful files on USB drives and subsequently infect Windows systems upon connection.

A new method employed by the malware, described by researchers as “a novel technique,” enables extended stealth and has the potential to infiltrate even isolated networks.

During a response to a Black Basta ransomware incident, the Unit 42 team of Palo Alto Networks stumbled upon an instance of the PlugX variation. 

The malware in question was observed utilizing GootLoader and Brute Ratel, both of which are tools regularly employed in red-team operations for post-exploitation activities.

PlugX Malware Hides on Removable USB Devices

Unit 42, in their quest to find similar samples, stumbled upon a variation of PlugX on VirusTotal. This variant of PlugX is equipped with the functionality to scan the affected system for confidential documents and on the USB drive subsequently transfer them to a secret folder.

PlugX Malware Infection Chain

PlugX is a well-established form of malware that has been in circulation since 2008, originally employed by Chinese hacking groups.

Although this malware has been around since 2008, some hacking groups continue to use it today, often employing digitally signed software to discreetly deliver payloads that are encrypted.

As the years went by, the use of PlugX expanded, and it became popular among multiple malicious actors, making it difficult to trace the origin of an attack.

Infection Chain

Apart from this, the attacker appears to be utilizing a 32-bit version of a Windows debugging tool known as ‘x64dbg.exe’ in the current attack campaigns.

They are also using a tampered version of ‘x32bridge.dll’ to load the PlugX payload (x32bridge.dat) as a part of the attack campaign.

Malware Execution on Windows Machine

As the malware evolves, the detection rate by antivirus engines on VirusTotal seems to be decreasing for the more recent versions of PlugX.

Specifically, one sample added in August of the previous year has only been identified as a threat by three products on the VirusTotal platform as of now.

The version of PlugX the researchers have come across creates a new folder in detected USB drives by using a Unicode character. As a result of this technique, in both Windows Explorer and the command shell this new directory becomes undetectable.

Linux systems have these directories visible while Windows systems do not have them visible. A Windows shortcut (.lnk) file is created on the root folder of the USB device, in order to execute the malware code from the concealed directory.

During the execution of the malware, a ‘desktop.ini’ file is created in a hidden directory that is used to set the icon for the LNK file in the root directory, making the victim believe that the file is a USB drive, which is actually a threat.

The malware creates a ‘RECYCLER.BIN’ subdirectory on the USB device which acts as a mask and hosts the copies of the malware. In late 2020, Sophos researchers discovered that an older version of PlugX was used to carry out this kind of technique and attack.

In late 2020, Sophos researchers discovered that an older version of PlugX was used to carry out this kind of attack.

Once the unsuspecting victim clicks on the shortcut file located in the root folder of the USB device, it triggers the execution of x32.exe via cmd.exe, ultimately leading to the host being infected with the PlugX malware.

When the PlugX malware has infiltrated the device once, it actively searches for new USB devices and attempts to spread itself to them upon detection.

The researchers from Unit 42 have identified a variant of PlugX malware that not only infects USB drives but also targets specific file types such as PDF and Microsoft Word documents, copying them to a folder named “da520e5” within a hidden directory.

The PlugX malware has been in circulation for over a decade and was previously heavily linked to Chinese state-sponsored hacking groups.

It has become increasingly popular among other threat groups, including nation-states, cybercrime groups, as well as ransomware authors, over the years.


Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.

Recent Posts

SSNDOB Marketplace Admin Jailed for Selling millions of Americans Data

In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…

11 hours ago

Is Your Online Store Hacked in a Carding Attack? Here’s an Action Plan to Protect

Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…

14 hours ago

Google Researchers Find Out How ChatGPT Queries Can Collect Personal Data

The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…

15 hours ago

New Android Malware Employs Various Tactics to Deceive Malware Analyst

In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…

16 hours ago

DJvu Ransomware Mimic as Cracked Software to Compromise Computers

A recent campaign has been observed to be delivering DJvu ransomware through a loader that…

17 hours ago

Okta Hack: Threat Actors Downloaded all Customer Support System Users’ Data

In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…

18 hours ago