New PlugX USB Worm Variant Drives Global Infection Waves
A recently identified variant of the PlugX USB worm is causing significant concerns among cybersecurity experts due to its ability to launch fresh waves of infections across multiple continents. This malicious software employs sophisticated tactics like DLL sideloading and USB-based propagation methods to successfully evade detection, raising alarms in both governmental and private sectors.
The emergence of this variant was first noted in Papua New Guinea back in August 2022. However, its reappearance has been recorded not just within the Pacific Rim, but has also been spotted in countries such as Ghana, Mongolia, Zimbabwe, and Nigeria. This growing presence highlights a concerning pattern of fragmented, yet widespread, infection across the globe.
PlugX, which has its origins in China, is classified as a long-running remote access Trojan (RAT). It has been frequently utilized by groups engaged in espionage activities. One of the common methods for deploying this malware involves DLL sideloading, where malicious DLL files are delivered under the guise of legitimate executables.
The distribution pattern observed in this particular campaign suggests that the operators may be using targeted distribution strategies rather than broad phishing attempts. The geographical separation of infection clusters indicates that the malware is likely being spread through physical media or methodical USB seeding rather than traditional digital avenues.
Researchers have pointed out that this variant is notable for introducing a new payload, utilizing callbacks to a command-and-control (C2) server previously thought to be loosely associated with PlugX activities. The new variant connects to C2 infrastructure at the IP address 45.142.166[.]112, aligning with earlier investigations that tentatively linked this endpoint to various "other PlugX" activities. Recent analyses have further reinforced the connection to the threat actor known as PKPLUG, also referred to as Mustang Panda.
Mechanisms of Propagation
The malware employs a strategy that involves exploiting a legitimate executable from Avast, specifically the vulnerable AvastSvc.exe, to initiate DLL sideloading. This is combined with a harmful DLL file and an encrypted PlugX payload. Once an infection takes hold, the worm drops its components into a directory labeled RECYCLER.BIN on infected systems and removable drives. It also disguises the trusted loader—renaming it to something like CEFHelper.exe—to present itself as a benign helper process to users.
When a user mistakenly double-clicks what appears to be a shortcut to a removable drive, Windows inadvertently executes the infected AvastSvc executable. This action triggers the sideloading of the malicious DLL and facilitates the decryption of the PlugX backdoor. To bolster its capability for data theft and facilitate lateral movement within networks, the PlugX worm introduces a batch script that systematically runs discovery commands. It collects results that are then obfuscated and stored in an encoded file.
The malware also seeks out documents with specific extensions—such as .doc, .pdf, and various spreadsheet formats—encrypting and saving copies in the RECYCLER.BIN directory. This clever storage strategy ensures that stolen files are hidden from immediate view.
Renewed Focus on USB Worm Tactics
PlugX’s latest variant reflects a revival of conventional USB worm tactics, previously overshadowed by the rise of cloud storage and email as primary infection vectors. The worm’s clever design makes it appear as though the USB drive is empty, displaying only a single "removable disk" entry, which is in fact a shortcut to launch the sideloaded loader instead of opening any storage contents.
All malicious files and stolen data are marked as hidden, further obscured by a crafted desktop.ini file that links the RECYCLER.BIN directory with the system’s Recycle Bin. This layer of deception makes it even more challenging for users to detect any malicious activities, enhancing the worm’s stealth capabilities.
Even though the prevalence of USB worms has diminished with the popularity of cloud solutions, the emergence of this USB-aware variant demonstrates that advanced persistent threat (APT) actors are reviving these older techniques. This trend enables them to maintain a foothold in networks that are air-gapped or rigorously segmented. Empirical data from recent sinkholing operations indicate that self-propagating PlugX USB malware variants remain active long after their initial deployment, with numerous infected public IP addresses showing normal communication patterns.
In summation, the new DLL-sideloading PlugX USB worm variant showcases the worrying adaptability of established malware frameworks, repackaging existing toolsets with minimal adjustments to create fresh, geographically diverse campaigns. This ongoing threat underlines the necessity for robust cybersecurity measures and heightened awareness across organizations globally.