With the latest development, PlugX joins the ranks of other malware families such as ANDROMEDA and Raspberry Robin that have added the capability to spread via infected USB drives. The use of USB drives as a means to exfiltrate specific files of interest from its targets indicates an attempt on part of the threat actors to jump over air-gapped networks. Unit 42 said it also discovered a second variant of PlugX that, in addition to infecting USB devices, further copies all Adobe PDF and Microsoft Word files from the host to another hidden folder on the USB device created by the malware. "Since the Windows shortcut file resembles that of a USB device and the malware displays the victim's files, they unwittingly continue to spread the PlugX malware." "Once a USB device is discovered and infected, any new files written to the USB device root folder post-infection are moved to the hidden folder within the USB device," the researchers said. This effectively means that the rogue files can only be viewed on a Unix-like operating system like Ubuntu or by mounting the USB device in a forensic tool. But the clever twist here is that the malicious files within the so-called recycle bin do not get displayed when with the setting enabled. The technique banks on the fact that Windows File Explorer (previously Windows Explorer) by default does not show hidden items. "This then displays the files on the USB device from within the hidden directories and also infects the host with the PlugX malware." "Whenever the shortcut file from the infected USB device is clicked, the PlugX malware launches Windows Explorer and passes the directory path as a parameter," Unit 42 said. The shortcut file, for its part, carries the same name as that of the USB device and appears as a drive icon, with the existing files or directories on the root of the removable device moved to a hidden folder created inside the "shortcut" folder. The attack chain has since been used against a large, regional energy outfit based in the southeastern U.S., according to Quadrant Security. The use of Brute Ratel by the Black Basta group was previously highlighted by Trend Micro in October 2022, with the software delivered as a second-stage payload by means of a Qakbot phishing campaign. Among other tools discovered in the compromised environment include the Gootkit malware loader and the Brute Ratel C4 red team framework. The cybersecurity company said it uncovered the artifact during an incident response effort following a Black Basta ransomware attack against an unnamed victim. "A user would not know their USB device is infected or possibly used to exfiltrate data out of their networks." "This PlugX variant is wormable and infects USB devices in such a way that it conceals itself from the Windows operating file system," Palo Alto Networks Unit 42 researchers Mike Harbison and Jen Miller-Osborn said. Cybersecurity researchers have uncovered a PlugX sample that employs sneaky methods to infect attached removable USB media devices in order to propagate the malware to additional systems.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |