Operations that respond to black enft A ransomware breach has revealed the use of a new PlugX malware variant that automatically infects attached removable USB media devices.
Palo Alto Networks Unit 42 shared findings Information security I added today that the new PlugX variant is “wormable” and can infect USB devices in a way that hides itself from the Windows operating file system.
“This PlugX malware also has a new technique that hides the attacker’s files on a USB device, so that the malicious files can only be seen on *nix OS or by mounting the USB device to forensic tools. It will be possible,” reads Unit 42. Recommendation About new threats.
“This ability to evade detection allows PlugX malware to continue to spread and potentially jump onto air-gapped networks.”
Unit 42 also added that the team discovered a similar variant of PlugX that can infect USB devices and copy all Adobe PDF and Microsoft Word files from the host. Then move the copy to the automatically created hidden folder on the USB device.
From a technical point of view, PlugX is a second-stage implant that security researchers say is being used by multiple Chinese-linked groups and multiple cybercriminal groups.
“It has been around for over a decade and has been observed in several high-profile cyberattacks, including the US Office of Personnel Management (OPM). 2015 violation” reads the Unit 42 recommendation. “It is a modular malware framework that supports an evolving set of features over the years.”
The connection between the malware tool and Black Basta stems from the fact that the Brute Ratel post-exploit tool used in these attacks is the same badger payload. previously reported To trend micro Associated with ransomware groups.
Another malware tool frequently used by Black Basta is Qakbot, reportedly used by the attackers in 2022. make the first entrance Move laterally within an organization’s network.
