An operation responding to a Black Basta ransomware compromise has revealed the use of a new PlugX malware variant that can automatically infect any attached removable USB media devices.
Palo Alto Networks Unit 42 shared the findings with Infosecurity earlier today, adding that the new PlugX variant is “wormable” and can infect USB devices in such a way that it hides itself from the Windows Operating File System.
“This PlugX malware also hides attacker files in a USB device with a novel technique, which makes the malicious files only viewable on a *nix OS or by mounting the USB device in a forensic tool,” reads a Unit 42 advisory about the new threat.
“Because of this ability to evade detection, the PlugX malware can continue to spread and potentially jump to air-gapped networks.”
Unit 42 also added that the team had found a similar variant of PlugX that can infect USB devices and copy all Adobe PDF and Microsoft Word files from the host. It then moves the copies into an automatically created, hidden folder on the USB device.
From a technical standpoint, PlugX is a second-stage implant, which according to the security researchers, is used by multiple groups with a Chinese nexus as well as several cybercrime groups.
“It has been around for over a decade and has been observed in some high-profile cyber-attacks, including the U.S. Government Office of Personnel Management (OPM) breach in 2015,” reads the Unit 42 advisory. “It is a modular malware framework, supporting an evolving set of capabilities throughout the years.”
The connection between the malware tool and Black Basta derives from the fact that the Brute Ratel post-exploitation tool used in these attacks is the same badger payload previously reported by Trend Micro and associated with the ransomware group.
Another malware tool frequently used by Black Basta is Qakbot, which the threat actor reportedly used in 2022 to create a first point of entry and move laterally within organizations’ networks.