AICPA SOC Service Organizations - Certrec

Your USB May be Infected with PlugX Malware

Is the PlugX Malware Hiding in Your Removable USB Devices - certrec1

Palo Alto Network’s Unit 42 incident response team has analyzed a new variant of the PlugX malware that is able to hide malicious files on USB devices. It was detected by cybersecurity researchers during a Black Basta breach response that had several tools like GootLoader malware, Brute Ratel C4 red-teaming tool, and a PlugX malware sample that was older, on the machines of the victim.

This PlugX malware is able to stay undetected by using a technique researchers are calling “a novel technique.” There is a risk that the malware could spread to air-gapped systems.

What is Malware? And What is PlugX Malware?

Any kind of software that can steal sensitive information, expose your identity to cybercriminals, harm your computer, and gradually slow down your computer is “Malware.” Some common types of malware include:

  • Virus: is able to copy itself and infect a computer.
  • Worm: sends copies of itself, through a network, to other computers.
  • Spyware: collects information without people’s knowledge.
  • Adware: is a software that downloads ads on a device.
  • Trojan horse: is a program pretending to be a useful app, but once installed, it harms a computer.
  • Ransomware: demands a ransom after locking and encrypting a victim’s device.
  • Bots or Botnets: gain access to devices through malicious coding. They give hackers remote control of devices, send phishing emails from the device, record activity and can take screenshots.
  • Rootkits: grant cybercriminals remote control of devices without the victim’s knowledge. It is often spread through phishing and malicious downloads or attachments.  
  • Fileless Malware: is memory-based, not file-based. It disrupts antivirus software and steals data.
  • Malvertising: comes from ads on legitimate websites. It results in ransomware attacks, credit card fraud and data theft.

What is PlugX Malware?


PlugX malware is a second-stage implant, It is used by several cybercrime groups including multiple groups in the Chinese nexus. It has been around for more than 10 years and has been seen in high-profile cyberattacks. It is a modular framework, and has been gradually developing capabilities over the years. 

What Does This PlugX Variant Do - Internal Image - Certrec

What Does This PlugX Variant Do?

According to Unit 42 researchers Mike Harbison and Jen Miller-Osborn, “This PlugX variant is wormable and infects USB devices in such a way that it conceals itself from the Windows operating file system.” They said, “A user would not know their USB device is infected or possibly used to exfiltrate data out of their networks.”

The researchers at Unit 42 explained that a Unicode whitespace character called non-breaking space is used by this USB variant of PlugX to hide malicious files in a USB while it is plugged into a machine. It is a space that is not visible in Windows Explorer, but it does not cause a line break.

The malware creates a windows shortcut (.LNK) icon in the root folder of the USB in order to deceive the victim into believing that it is a USB drive.

Not only does the PlugX sample implant the malware on the host, it copies it to the removable device connected to it, by concealing it inside the recycle bin.

The novel technique, as it has been called, relies on the fact that hidden items are not shown in the Windows File Explorer, by default. Even when the setting is enabled to show items, the malicious files inside the recycle bin don’t show up. The infected files can only be viewed by Ubuntu, which is a Unix-like operating system. The other way they can be seen is with the help of a forensic tool.

For more information on this topic, click here.

Disclaimer: Any opinions expressed in this blog do not necessarily reflect the opinions of Certrec. This content is meant for informational purposes only.