Cybersecurity researchers Palo Alto Networks Unit 42 discovered a new Plugx sample, which inconsistently infects connected removable USBs -Carriers in order to spread malicious software to additional systems. “
Plugx worms infects USB devices, hiding its activity from the Windows file system, that is, the user will not know that its USB device is infected or is already used to steal data from the target network.
USB version of the Plugx uses a special symbol of Unicode U+00A0 (inextricable gap “”) to hide files on a connected USB device. The gap hides the name of the malicious catalog, and does not leave the nameless folder in the conductor.
ultimately LNK Yarlyk, created in the root folder of a USB drive, is used to launch malicious software from a hidden catalog. The PLUGX sample not only introduces malicious software on the host, but also copies it to any connected USB device, disguising it inside the basket folder.
The label file is also called, like a USB device, and has an icon of the local disk, and the existing files in the root of the removable device are moved to the hidden folder created inside the Label folder.
Every time the user presses the file from the infected USB, Plugx launches Windows conductor and passes the path to the catalog as a parameter. Then the files on the USB device are displayed from hidden catalogs, and the malicious Plugx infects the host.
This attack method is based on the fact that the Windows conductor does not show hidden elements by default. The attack is notable for the fact that malicious files in the “basket” are not displayed if this parameter is turned on. This means that they can only be seen in the Unix-like OS, such as Ubuntu, or by mounting the USB device in the tool for Forenzika.
New files recorded in the root folder of USB devices after infection are moved to a hidden folder. Since the Windows label file imitates the USB device file, and the malicious in displays the victim files, the user involuntarily continues to distribute the malicious Plugx.
Unit 42 also found the second version of Plugx, which, in addition to infection of USB devices, additionally copies all Adobe PDF and Microsoft Word files from a host to another hidden device created by malicious software.
Thanks to the latest development, PLUGX joins other families of harmful programs such as Andromeda and Raspberry Robin, which added the ability to spread through infected USB drives. This means that the development of PLUGX is still flourishing, at least among some technically qualified attackers, and remains an active threat.