Researchers at Sophos have uncovered a new version of the USB-Thervy Plugx malware. The newest variant features a new payload and feedback mechanism with the command and control (C2) server. Plugx is a well-known type of malicious software that spreads through USB drives. Currently, the malware is spreading rapidly across African countries such as Ghana, Zimbabwe, and Nigeria. Sophos experts have also recorded a new version of Plugx in Papua-New Guinea and Mongolia. Sophos believes that the Chinese group, Mustang Panda, may be behind this campaign.
Once malware-infected USB drives are inserted into a computer, the malware disguises itself as the flash drive itself in the root of the device. There are also several hidden folders on the disk containing the malicious elements. The “Recycler.bin” folder is intentionally named in this way. The folder connects the user’s Windows recycle bin to a folder on the drive, containing files that provide the full functionality of the harmful program.
The new version of Plugx is capable of sending encrypted files to attackers via the internet. It collects files with the extensions “Doc”, “.docx”, “.xls”, “.xlsx”, “.ppt”, “.pptx”, and “.pdf” and saves them in an encrypted form for subsequent sending. The files are stored in the recycler.bin folder, and their names are converted into Base64.
Sophos does not consider removable drives to be effective means of infection in comparison to internet attacks. Nonetheless, Sophos Director of the Study of Threats, Gabor Sappanos, notes that the use of USB drives in this particular campaign has been very effective.