The Palo Alto Networks Unit 42 team discovered a range of tools and malware sample in a recent Black Basta breach, with a particularly nasty train attracting particular attention.
Campaign uses perennial PlugX malware to infect mobile USB drivemay continue to affect any Windows servers to which they are connected.
Apparently over a decade old, the campaign was initially credited to Chinese hacker groups, however, it supported a “growing set of capabilities over the course of many years”, making it very difficult to attribute threats to any particular group or individual.
PlugX USB Malware
In this latest iteration, researchers have found that it goes largely undetected even on the latest version of Windows, to the point where malicious files “can only be viewed on Unix-like or by attaching a USB device to a forensic tool”.
It hides files using a certain Unicode character, prevents Windows Explorer and the command shell from showing the user the USB folder structure, effectively hides the files it has copied from its host . It has been found to mainly target Adobe PDF and Microsoft Word files.
The report details that the malware is constantly monitoring new USB removable devices, and that victims unknowingly continue to spread PlugX malware thanks to its “novel” trick.
Full details of the detections and processes that the malware is believed to follow, can be found on Palo Alto Networks’ website (opens in a new tab). It also promises to share its findings with members of the Cyber Threat Alliance (CTA), which includes Avast, McAfee and Sophos.
Its own products are designed to protect users from such attacks, but it encourages them to contact them if they believe they have been infected. In addition, computer users are encouraged to take a cautious approach to suspicious websites, emails and other activities that could be the source of any cyber attack.
