No recent events yet!
Risk: | high |
Damage: |
high |
Platform(s): |
Microsoft® Windows OS |
Advisory ID: |
ngCERT-2024-0018 |
Version: |
N/A |
CVE: |
N/A |
Published: |
May 20, 2024 |
Security investigations revealed that a self-propagating USB malware released in 2020, is still active and spreading across systems worldwide, through infected USB drives. Monitoring of the PlugX worm variant revealed that about 2.5 million IP addresses were infected, in over 170 countries including Nigeria and over 100,000 unique IPs still send daily requests to the sinkhole, indicating that the botnet remains active. It is worthy to note that 15 out of the 170 countries affected by the malware spread, account for 80% of the infections recorded, Nigeria inclusive.
PlugX worm is very sophisticated and acts as a backdoor, allowing malicious actors to remotely access and take full control of infected machines. The attack begins with the wormable component of the PlugX infecting connected USB flash drives by adding to them a Windows shortcut file taking the name of the infected flash drive, and a DLL side loading triad (legitimate executable, malicious DLL and binary blob) inside the drive RECYCLER.BIN hidden folder. The legitimate content of the USB devices is moved to a new directory whose name is the non-breaking space character (hexadecimal ascii code: 0xA0). when a user opens the USB device, only a shortcut with the name of the USB device is presented to him, pushing him to click on it. By clicking on the shortcut, the PlugX infection chain is executed. PlugX starts by closing the current window and reopening a new one in the directory (as previously mentioned named 0xA0) containing the legitimate files. Then, it copies itself to the host inside %userprofile%/AvastSvcpCP/, and enables its persistence by creating a new key under HKCU[…]\CurrentVersion\Run registry Key. Finally, it re-executes itself from the host before terminating. Once executed from the host, the worm component of this PlugX variant checks every 30 seconds for the connection of a new flash drive to automatically infect. Its self-propagating capability, coupled with its tenacity mechanism enables it to stay active allowing it to control a broad network of compromised computers globally. Despite losing control over the botnet, anyone with interception abilities can still use the compromised hosts for malicious purposes.
A successful attack could result to the following:
The following are hereby recommended: