Self-Spreading PlugX USB Drive Malware Infecting Systems Worldwide.

Microsoft® Windows OS
Advisory ID:
May 20, 2024


Security investigations revealed that a self-propagating USB malware released in 2020, is still active and spreading across systems worldwide, through infected USB drives. Monitoring of the PlugX worm variant revealed that about 2.5 million IP addresses were infected, in over 170 countries including Nigeria and over 100,000 unique IPs still send daily requests to the sinkhole, indicating that the botnet remains active. It is worthy to note that 15 out of the 170 countries affected by the malware spread, account for 80% of the infections recorded, Nigeria inclusive.

Description & Consequence

PlugX worm is very sophisticated and acts as a backdoor, allowing malicious actors to remotely access and take full control of infected machines. The attack begins with the wormable component of the PlugX infecting connected USB flash drives by adding to them a Windows shortcut file taking the name of the infected flash drive, and a DLL side loading triad (legitimate executable, malicious DLL and binary blob) inside the drive RECYCLER.BIN hidden folder. The legitimate content of the USB devices is moved to a new directory whose name is the non-breaking space character (hexadecimal ascii code: 0xA0). when a user opens the USB device, only a shortcut with the name of the USB device is presented to him, pushing him to click on it. By clicking on the shortcut, the PlugX infection chain is executed. PlugX starts by closing the current window and reopening a new one in the directory (as previously mentioned named 0xA0) containing the legitimate files. Then, it copies itself to the host inside %userprofile%/AvastSvcpCP/, and enables its persistence by creating a new key under HKCU[…]\CurrentVersion\Run registry Key. Finally, it re-executes itself from the host before terminating. Once executed from the host, the worm component of this PlugX variant checks every 30 seconds for the connection of a new flash drive to automatically infect. Its self-propagating capability, coupled with its tenacity mechanism enables it to stay active allowing it to control a broad network of compromised computers globally. Despite losing control over the botnet, anyone with interception abilities can still use the compromised hosts for malicious purposes.

A successful attack could result to the following:

  1. Unauthorized access to systems.
  2. Invasion of privacy.
  3. Data losses and exfiltration.
  4. Remote storage of illegal files.
  5. Denial of Service (DoS) attacks.


The following are hereby recommended:

  1. Security administrators should block the IoCs (See Below) on all applicable security solutions post validation.
  2. System administrators should regularly take Backup of the applications, databases, and all critical data.
  3. Ensure systems are regularly patched or updated.
  4. Avoid downloading and executing files from untrusted websites.
  5. Adopt strong reputable antivirus and anti-malware solutions.
  6. Implement measures to secure USB ports and also educate users on the potential dangers associated with using untrusted USB devices.



Related Articles