A newly identified variant of the PlugX worm is actively spreading across continents, leveraging USB drives and stealth techniques to infiltrate systems without detection. Notably, cybersecurity researchers have observed this malware across regions spanning nearly ten time zones, signaling a significant global threat.
Initially, analysts detected the worm in Papua New Guinea in August 2022. However, it resurfaced in January 2023, reappearing in both Papua New Guinea and Ghana—two geographically distant locations separated by approximately 10,000 miles. Subsequently, infections emerged in Mongolia, Zimbabwe, and Nigeria, highlighting the worm’s rapid and widespread distribution.
Although PlugX itself is not new, this variant introduces a more sophisticated payload. Traditionally recognized as a remote access Trojan (RAT) linked to Chinese threat actors, PlugX has been used in numerous cyber espionage campaigns. However, this version distinguishes itself through its updated payload and its connection to a previously less-associated command-and-control (C2) server.
To execute its attack, the worm employs DLL sideloading, a deceptive technique in which a legitimate application unknowingly loads a malicious DLL file. As a result, the malware runs quietly, bypassing immediate detection. Researchers at Sophos X-Ops, led by analyst Gabor Szappanos, discovered the threat following a CryptoGuard alert, which likely indicated a data exfiltration attempt.
The infection chain includes a legitimate AvastSvc.exe executable vulnerable to DLL sideloading, a malicious wsc.dll file, and an encrypted payload. Together, these components enable the malware to establish a hidden backdoor on compromised systems.
Furthermore, investigators traced C2 activity to the IP address 45.142.166[.]112. While a 2019 Unit 42 report previously mentioned this IP, it was not definitively linked to a specific threat actor. Now, Sophos researchers confirm that the techniques observed align closely with PKPLUG, also known as Mustang Panda, a China-linked advanced persistent threat (APT) group.
In addition, the worm uses USB-based evasion techniques to spread effectively. When it infects a USB drive, it creates deceptive shortcut files that mimic removable disks. If a user clicks these shortcuts, the malware executes silently under the guise of legitimate processes.
Moreover, the worm hides its files within a directory named RECYCLER.BIN, disguising it as a standard Recycle Bin folder. It also assigns hidden and system attributes to malicious files, making them invisible in default system views. Inside this directory, the malware targets sensitive documents such as .doc, .xls, .ppt, and .pdf files, encrypts them, and prepares them for exfiltration using base64-encoded filenames.
Given these risks, organizations must take proactive steps. Disabling AutoRun and AutoPlay features for removable media can significantly reduce exposure. Additionally, enabling visibility for hidden files and monitoring outbound network traffic are crucial measures. Deploying endpoint security tools capable of detecting DLL sideloading activity further strengthens defenses against such advanced threats.
Recommended Cyber Technology News:
- mShift Launches HSB Non-Admitted Cyber on Platform
- Glasswall Launches Outlook Integration for Email Security
- Sentra Integrates with Wiz to Enhance Cloud Data Risk Visibility
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
