Threat Research

Chinese PlugX Malware Hidden in Your USB Devices?

Securonix

Unit 42 analyzes PlugX variants hidden on USB devices, detailing novel USB infection and hiding techniques as part of a broader Black Basta-related investigation. The findings show USB-based persistence, stealthy file hiding, and multiple PlugX variants linked to a Chinese nexus, with protections available from Palo Alto Networks products. #PlugX #USBInfection #OPM #BlackBasta #GootLoader #x32dbg

Keypoints

  • PlugX variant infects attached removable USB media and its host systems via DLL sideloading using x64dbg/x32dbg tooling.
  • The USB infection hides files and directories using a Unicode 00A0 character and creates a disguised Recycle Bin structure to conceal malware.
  • Windows shortcuts (.lnk) with crafted arguments launch the hidden malware from the USB device (e.g., using cmd.exe).
  • A second PlugX variant adds data exfiltration by copying PDFs/Word documents to a hidden USB subfolder and includes process checks to terminate certain apps and delete traces.
  • The campaign includes registry-based persistence (Run keys) and DLL side-loading techniques historically associated with PlugX.
  • Indicators include known PlugX samples, specific file names, USB paths, mutexes, tasks, and process names to watch for.

MITRE Techniques

  • [T1574.002] DLL Side-Loading – Historically, PlugX infections hijack a trusted, digitally signed application to load an encrypted payload. ‘Historically, a PlugX infection begins by hijacking a known and trusted, digitally signed software application to load an actor-created encrypted payload.’
  • [T1059.003] Windows Command Shell – The malware uses cmd.exe via a shortcut to execute payloads from hidden USB directories. “%comspec% /q /c ” RECYCLER.BINfilesx32dbg.exe””
  • [T1547.001] Registry Run Keys / Startup Folder – Adds registry persistence to MicrosoftWindowsCurrentVersionRun. ‘Adding registry persistence’
  • [T1564.001] Hide Artifacts – Hides directories with Unicode 00A0 and uses hidden folders to conceal files. ‘The Unicode character used by this PlugX malware for the directories is 00A0 (a whitespace character called a no-break space). The whitespace character prevents the Windows Operating System from rendering the directory name…’
  • [T1070.004] File Deletion – Terminates relevant processes and deletes directories from which they were executed. ‘deletes the directories from which they were executed.’
  • [T1027] Obfuscated/Compressed Files and Information – Uses an actor-created encrypted payload file (x32bridge.dat). ‘encrypted payload file: x32bridge.dat’

Indicators of Compromise

  • [Hash] Known PlugX Samples – 8ec37dac2beaa494dcefec62f0bf4ae30a6ce44b27a588169d8f0476bbc94115, e72e49dc1d95efabc2c12c46df373173f2e20dab715caf58b1be9ca41ec0e172, and 6 more hashes
  • [File/Directory] Known File Directories – C:ProgramDataUsersDateWindows_NTWindowsuserDesktop, C:UsersPublicPublic Mediae, :u00A0u00A0RECYCLER.BINfiles, :u00A0u00A0RECYCLER.BINfilesda520e5
  • [Mutex] Known Windows Mutex Names – LKU_Test_0.1, LKU_Test_0.2, TCP_0.1
  • [Process] Known Windows Process Names (Observed Abused Benign Files) – x32dbg.exe, x32dbge.exe, Mediae.exe, Aug.exe, Precious.exe, SafeGuard.exe, Dism.exe
  • [Filename] Known PlugX Encrypted Payload File Names – akm.dat, precious.dat, x32bridge.dat, Groza_1.dat
  • [Scheduled Task] Known Windows Scheduled Task Names – LKUFORYOU_1, PRECIOUS_0.1

Read more: https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/