Cybersecurity researchers have uncovered a PlugX sample that employs sneaky methods to infect attached removable USB media devices in order to propagate the malware to additional systems.
“This PlugX variant is wormable and infects USB devices in such a way that it conceals itself from the Windows operating file system,” Palo Alto Networks Unit 42 researchers Mike Harbison and Jen Miller-Osborn said. “A user would not know their USB device is infected or possibly used to exfiltrate data out of their networks.”
The cybersecurity company said it uncovered the artefact during an incident response effort following a Black Basta ransomware attack against an unnamed victim. Among other tools discovered in the compromised environment include the Gootkit malware loader and the Brute Ratel C4 red team framework.
The use of Brute Ratel by the Black Basta group was previously highlighted by Trend Micro in October 2022, with the software delivered as a second-stage payload by means of a Qakbot phishing campaign. The attack chain has since been used against a large, regional energy outfit based in the south-eastern U.S., according to Quadrant Security.
However, there is no evidence that ties PlugX, a backdoor extensively shared across several Chinese nation-state groups, or Gootkit to the Black Basta ransomware gang, suggesting that the malware may have been deployed by other actors.
images from Hacker News