![]() ![]() The technique used by the PlugX malware to hide files in a USB device involves using a certain Unicode character. From there, we wanted to expand our research by focusing on the USB infection, other USB variants in the wild and links to the PlugX malware. We confirmed that our sample matched the behaviors described in their report. Sophos performed an excellent analysis of the samples and touched on the USB infection. Their blog refers to this malware as KilllSomeOne, based on a Program Database (PDB) string found in one of the binaries. PlugX DLL sideloading using 圆4dbg.īoth the hijacking of 圆4dbg and the association of this behavior with the PlugX malware were reported by Sophos back in November 2020. Figure 1 below illustrates PlugX DLL side loading using 圆4dbg DLL hijacking. Once loaded and decrypted in memory, the malware infects the host and any removable USB devices attached with the PlugX malware. None of the engines identify the file as PlugX malware. 15, 2022, it has a detection score of eight out of 61 engines. X32bridge.dat was first submitted to VirusTotal on Jan. Once loaded, the malware searches locally for an actor-created encrypted payload file: x32bridge.dat (SHA256: e72e49dc1d95efabc2c12c46df373173f2e20dab715caf58b1be9ca41ec0e172). A legitimate x32bridge.dll also carries the same digital signature. X32bridge.dll is a Windows Dynamic Link Library (DLL) dependency file of x32dbg.exe. If found, the necessary files are loaded and executed. That search starts locally (i.e., in the current working directory). Upon execution of x32dbg.exe, Microsoft Windows will attempt to resolve any dependency files necessary to run the application. In this case, the actors used x32dbg.exe, which is the 32-bit debugger of 圆4dbg. The developers of this tool offer two types of debugger applications: 圆4 for 64-bit applications and x32 for 32-bit applications. X64dbg applications are digitally signed by "Open Source Developer Duncan Ogilvie." In this case, the threat actors decided to hijack a popular and free open source debugging tool for Windows called 圆4dbg, which is used by the malware analysis/reverse engineering community. This technique has been used since 2010 and is listed in the MITRE ATT&CK techniques as Hijack execution flow DLL-Side loading ID: T1574.002 Sub-technique T1574. Historically, a PlugX infection begins by hijacking a known and trusted, digitally signed software application to load an actor-created encrypted payload. However, the version of Brute Ratel C4 used in this case is the same one reported by Trend Micro, which also involved the Black Basta ransomware group. Numerous threat actors compromise targets and can coexist simultaneously on the affected machine.īecause we can’t conclusively say whether these malware samples were left by one group or several, we can't attribute these tools to the Black Basta ransomware group. It's not uncommon for multiple malware samples to be discovered during an investigation, as occurred in this situation with GootLoader, Brute Ratel C4 and PlugX. Palo Alto Networks customers receive protections against the types of threats discussed in this blog by products including Cortex XDR and WildFire. It is a modular malware framework, supporting an evolving set of capabilities throughout the years. Government Office of Personnel Management (OPM) breach in 2015. It has been around for over a decade and has been observed in some high-profile cyberattacks, including the U.S. PlugX is a second-stage implant used not only by multiple groups with a Chinese nexus but also by several cybercrime groups. It places these copies in a hidden folder on the USB device that is created by the malware. We also discovered a similar variant of PlugX in VirusTotal that infects USB devices and copies all Adobe PDF and Microsoft Word files from the host. This means the malicious files can only be viewed on a Unix-like (*nix) OS or by mounting the USB device in a forensic tool. This PlugX malware also hides actor files in a USB device using a novel technique that works even on the most recent Windows operating systems (OS) at the time of writing this post. The PlugX malware stood out to us as this variant infects any attached removable USB media devices such as floppy, thumb or flash drives and any additional systems the USB is later plugged into. Recently, our Unit 42 incident response team was engaged in a Black Basta breach response that uncovered several tools and malware samples on the victim's machines, including GootLoader malware, Brute Ratel C4 red-teaming tool and an older PlugX malware sample. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |