PlugX Malware Found Infecting USB Drives

Ophtek, PlugX malware, USB Drives, USB Malware, , , ,
21
Mar 2023

We all use USB devices daily, but these innovative and simple devices also make the perfect environment for the PlugX malware to take hold.

USB devices are installed and ready to use within seconds of being plugged into a PC, a setup procedure which is a marked improvement on the traditional approach of installing via a CD. In fact, since the 1990s, USB connections have become ubiquitous in the hardware market. One of the most popular USB devices is the portable drive, a simple way of transferring data from one PC to another. However, USB drives have always represented a security risk and it’s this risk which PlugX is now exploiting.

How Did PlugX Get onto USB Drives?

First gaining notoriety around 15 years ago, PlugX is far from a new and mysterious strain of malware. However, it remains a viable threat when it comes to spreading malware and infecting systems.

This recent attack started with a popular Windows debugging tool called x64dbg being hijacked and manipulated by threat actors. Using the 32-bit version of x64dbg (x32dbg.exe), the threat actors execute a malicious file they have created called x32bridge.dat. Once activated, x32bridge.dat infects the resident PC and, more importantly, searchew out any USB drives connected to it. The PlugX malware is then loaded onto this USB drive.

To cover its tracks, PlugX uses a Unicode character technique to prevent the true contents and structure of the USB drive being displayed by Windows Explorer. A shortcut .LNK file is then installed in the root directory of the USB drive, which appears to be a link to the USB drive and even copys the device’s name. However, the link actually activates the PlugX malware from a hidden directory on the USB drive and allows it to search out other USB drives attached to the PC. And each time this drive is connected to a new PC, the infection process begins again.

PlugX, of course, does much more than simply spread from PC to PC without causing any damage. In fact, PlugX has the capability to launch the following attacks:

  • Keystroke logging
  • Screen captures
  • Managing processes on PCs
  • Rebooting the system
  • Remote control of the keyboard and mouse
  • Copying PDF and Word documents from the infected PC to the USB’s hidden directories

How Do You Pull the Plug on PlugX?

PlugX is currently difficult to detect due to the way in which it works, with only 11 out of 5U9 anti-malware tools currently detecting it according to Virus Total. Therefore, it’s a tough slice of malware to contend with. Nonetheless, you can minimize the risk it presents to your organization by:

  • Blocking access to USB storage drives: it’s a good idea to restrict access to USB storage drives by employees. After all, there’s little reason why they should be removing data from a company PC. Accordingly, you can block employee access to USB drives through your administration settings, effectively rendering USB ports as unusable. If an employee does need to transfer data, make this an action only privileged users can process.
  • Monitor network activity: PlugX falls under the category of being a Remote Access Trojan, so it’s likely that unusual network activity will be caused by the threat actors connecting to infected PCs. As such, any network activity which involves connections to unknown destinations should immediately be halted and investigated.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Raspberry Robin: A New USB-based Malware

Ophtek, Rasberry Robin, USB Drives, USB Flash Drives, USB Malware, , ,
17
May 2022

USB drives are vital parts of any IT system, providing external storage and simple file transfers. But they also run the risk of introducing malware to PCs.

We’ve talked in the past about USB drives which can completely destroy a PC, but this new threat is a little different. Believed to have been active in the digital wild since September 2021, Raspberry Robin (as it has been named by researchers) is a strain of malware loaded with a series of dangerous commands. Although it was first discovered in September 2021, researchers noted a sharp uptick in its activity during January 2022. Accordingly, like most malware, it’s likely that its activity will accelerate again in the future, so it’s crucial you know what to look for.

What is Raspberry Robin?

Despite sounding like a charming brand of candy, Raspberry Robin is far from sweet. Instead, it’s a form of malware which is delivered to its victims through an infected USB drive. Quite how Raspberry Robin makes its way onto these USB drives is a question which has security researchers scratching their heads. Regardless of this mystery, however, the fact remains that Raspberry Robin is there and it’s capable of causing digital chaos.

Once the infected USB drive is connected to an active PC, it uses this as a prompt to activate a shortcut link housed on the USB drive. This opens explorer.exe and, most importantly, MsiExec.exe which is used to install new programs in Windows. MsiExec.exe is then used to launch a communication channel to an external domain, from which it will receive malicious commands. Raspberry Robin also harnesses MsiExec.exe to install a malicious .DLL file, although it is yet to be established what the objective of this file is.

Another feature of Raspberry Robin’s attack strategy is to execute the Windows tool fodhelper.exe – this is used to manage features in Windows settings – and instruct rundll32.exe to, in turn, launch further malicious actions. These processes are executed with elevated admin privileges, yet do not require authorization from a User Account Control prompt. While this allows Raspberry Robin unauthorized privileges, it also highlights unusual behavior on a PC and can be used to identify the malware’s presence.

How Can You Avoid Raspberry Robin?

One of the simplest ways to minimize your risk against Raspberry Robin is to never plug unknown USB drives into a PC. Without scanning the drive thoroughly and securely, there is no way of knowing exactly what’s on there. And this can put your PC and indeed your entire IT network at risk.

Likewise, any new USB drives purchased by your organization should be tested by an IT professional on an offline network. This approach will prevent malware such as Raspberry Robin spreading throughout your IT network.

It’s also important that you practice good network monitoring. As Raspberry Robin communicates with external domains, significant traffic will be visible between your network and new, unknown locations. Identifying unusual traffic patterns such as this will allow you to investigate and take care of any concerns.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More