Researchers has shared their findings about an operation responding to a Black Basta ransomware compromise has revealed the use of a new wormable PlugX malware variant that can automatically infect any attached removable USB media devices.
This PlugX malware also hides attacker files in a USB device with a novel technique, which makes the malicious files only viewable on a *nix OS or by mounting the USB device in a forensic tool. Due to this ability to evade detection, the PlugX malware can continue to spread and potentially jump to air-gapped networks.
It is a modular malware framework, supporting an evolving set of capabilities throughout the years according to the researchers, PlugX is a second-stage implant, is used by multiple groups with a Chinese nexus as well as several cybercrime groups.
PlugX is around for over a decade and has been observed in some high-profile cyber-attacks, including the U.S. Government Office of Personnel Management (OPM) breach in 2015
The connection between the malware tool and Black Basta derives from the fact that the Brute Ratel post-exploitation tool used in these attacks is the same badger payload previously reported by Trend Micro and associated with the ransomware group.
The researchers also discovered a similar variant of PlugX with the added capability of copying all Adobe PDF and Microsoft Word documents from the infected host to the USB device’s hidden folder created by the PlugX malware.
The discovery of these samples indicates PlugX development is still alive and well among at least some technically skilled attackers, and it remains an active threat.
This research was documented by researchers from Palo Alto Unit 42
Indicators of Compromise
Known PlugX Samples:
- 8ec37dac2beaa494dcefec62f0bf4ae30a6ce44b27a588169d8f0476bbc94115
- e72e49dc1d95efabc2c12c46df373173f2e20dab715caf58b1be9ca41ec0e172
- 0e9071714a4af0be1f96cffc3b0e58520b827d9e58297cb0e02d97551eca3799
- 39280139735145ba6f0918b684ab664a3de7f93b1e3ebcdd071a5300486b8d20
- 41a0407371124bcad7cab56227078ccd635ba6e6b4374b973754af96b7f58119
- 02aa5b52137410de7cc26747f26e07b65c936d019ee2e1afae268a00e78a1f7f
- 2a07877cb53404888e1b6f81bb07a35bc804daa1439317bccde9c498a521644c
- 5d98d1193fcbb2479668a24697023829fc9dc1f7d31833c3c42b8380ef859ff1
Known File Directories
- C:\ProgramData\UsersDate\Windows_NT\Windows\user\Desktop\
- C:\Users\Public\Public Mediae\
- <usb volume>:\u00A0\u00A0\RECYCLER.BIN\files
- <usb volume>:\u00A0\u00A0\RECYCLER.BIN\files\da520e5
Known Windows Mutex Names
- LKU_Test_0.1
- LKU_Test_0.2
- TCP_0.1
Known PlugX Encrypted Payload File Names
- akm.dat
- precious.dat
- x32bridge.dat
- Groza_1.dat
Known Windows Scheduled Task Names
- LKUFORYOU_1
- PRECIOUS_0.1
Known Windows Process Names
- x32dbg.exe
- x32dbge.exe
- Mediae.exe
- Aug.exe
- Precious.exe
- SafeGuard.exe
- Dism.exe
