A sophisticated new PlugX USB worm is stealthily infecting systems across multiple continents, utilizing a deceptive DLL sideloading technique to evade detection. First observed in Papua New Guinea in August 2022, this advanced persistent threat (APT) variant re-emerged in early 2023, with infections confirmed in geographically disparate locations including Ghana, Mongolia, Zimbabwe, and Nigeria, spanning nearly ten time zones and highlighting its significant global reach.
While PlugX, a remote access Trojan (RAT) with known origins in China, is not a new threat, this particular variant distinguishes itself with a novel payload and its association with a command-and-control (C2) server not previously closely linked to the malware family. The primary infection vector appears to be through USB drives, with the worm employing advanced evasion methods to maintain a low profile on compromised machines.
New PlugX USB Worm Leverages DLL Sideloading for Global Spread
The discovery of this widespread PlugX USB worm was initiated by Sophos X-Ops researchers, led by analyst Gabor Szappanos, who were alerted by a CryptoGuard flag, likely indicating a data exfiltration attempt. The infection package is meticulously crafted, featuring a legitimate AvastSvc.exe executable, which is exploited through a DLL sideloading vulnerability. This is combined with a malicious DLL file named wsc.dll and an encrypted payload designed to quietly install the PlugX backdoor on the target system.
Tracing the C2 activity, researchers identified an IP address, 45.142.166[.]112, which had been tangentially linked to PlugX in a 2019 report by Unit 42 but without a confirmed operator. However, the current investigation, according to Sophos researchers, strongly aligns with the established operational patterns of PKPLUG, also known as Mustang Panda. This attribution reinforces the connection between the identified C2 infrastructure and this China-linked APT group, suggesting a targeted and persistent campaign.
The widespread geographical distribution of this new PlugX variant is a key characteristic. The worm’s ability to hop between continents, facilitated by its reliance on USB drives and sophisticated evasion tactics, underscores the evolving nature of cyber threats and the challenges in containing malware outbreaks.
DLL Sideloading and USB-Based Evasion Tactics
The infection mechanism employed by this PlugX variant is characterized by its deceptive nature. When the worm makes its way onto a USB drive, it uses specific mutex strings—USB_NOTIFY_COP and USB_NOTIFY_INF—to manage its operations, ensuring no trace is left visible in a standard Windows Explorer view after a typical interaction.
Victims are presented with what appears to be a legitimate shortcut file, meticulously designed to mimic another removable disk, complete with an identical drive icon. Upon execution, this shortcut silently launches the CEFHelper executable, which is, in fact, a renamed version of the legitimate AvastSvc.exe file. This renaming is a deliberate obfuscation tactic, mimicking a legitimate Adobe process, thereby reducing the likelihood of immediate suspicion.
Further concealment is achieved by assigning hidden and system attributes to all other malicious files and directories. This renders them invisible by default in standard file listings, making a manual discovery exceptionally difficult. The malware strategically stores all its components within a directory named RECYCLER.BIN.
To enhance its disguise, the worm drops a desktop.ini file within this directory. This file instructs Windows to treat the RECYCLER.BIN folder as the system’s actual Recycle Bin. This trick allows deleted files from the user’s real hard drive to appear in this location, effectively camouflaging the worm’s presence. Within the RECYCLER.BIN folder, the malware targets documents in common formats, including .doc, .docx, .xls, .xlsx, .ppt, .pptx, and .pdf files. These documents are then encrypted and saved with base64-encoded file names, preparing them for subsequent exfiltration.
Organizations that handle sensitive data should consider USB drive connections a significant security risk. Implementing basic security measures, such as disabling AutoRun and AutoPlay functionalities for all removable media, can be an effective initial step. IT departments should also configure systems to display hidden and system files by default. This setting can aid in spotting unusual directories like RECYCLER.BIN. Continuous monitoring of outbound C2 traffic and the deployment of endpoint protection solutions capable of detecting DLL sideloading activities are critical for defending against such targeted threats.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.