PlugX USB Worm: A Stealthy Global Threat Exploiting DLL Sideloading
A newly identified variant of the PlugX worm is surreptitiously propagating across multiple continents by concealing itself within USB drives. This sophisticated malware has been detected in regions spanning nearly ten time zones, including Papua New Guinea, Ghana, Mongolia, Zimbabwe, and Nigeria. The worm employs DLL sideloading—a technique where a legitimate application is deceived into loading a malicious library—to execute its code covertly.
PlugX, a remote access Trojan (RAT) of Chinese origin, has been a tool for threat actors for years. However, this variant introduces a new payload and connects to a command-and-control (C2) server previously not closely associated with this malware family. The infection package comprises a legitimate AvastSvc.exe executable vulnerable to DLL sideloading, a malicious DLL named wsc.dll, and an encrypted payload file. These components collaborate to discreetly run the PlugX backdoor on compromised machines.
The worm’s propagation mechanism is particularly deceptive. Upon copying itself onto a USB drive, it utilizes specific mutex strings—USB_NOTIFY_COP and USB_NOTIFY_INF—to manage the operation. The USB drive appears empty in a standard Windows Explorer view, displaying only a shortcut file designed to resemble another removable disk. Clicking this shortcut executes the CEFHelper executable, a renamed AvastSvc.exe file, initiating the infection process. All malicious files and directories are assigned hidden and system attributes, rendering them invisible in standard file listings.
The worm stores its files within a directory named RECYCLER.BIN, dropping a desktop.ini file that prompts Windows to treat this folder as an actual Recycle Bin. This tactic further obscures the worm’s presence, as deleted files from the user’s real hard drive appear there. Inside RECYCLER.BIN, the malware targets documents, including PDFs and Microsoft Word files, copying them to a folder named da520e5 within a hidden directory.
The C2 activity traces back to the IP address 45.142.166[.]112, previously mentioned in a 2019 report by Unit 42 as loosely connected to PlugX but not directly tied to any known threat actor at the time. Sophos researchers now assert that the techniques observed align with the behavior of PKPLUG, also known as Mustang Panda—a China-linked advanced persistent threat (APT) group. This finding strengthens the connection between the IP address and the threat actor behind this campaign.
The PlugX USB worm’s vast infection rate underscores the persistent threat posed by cybercriminals. While complete eradication of the worm may not be feasible, collaborative efforts within the cybersecurity community have paved the way for mitigating its impact. The concept of sovereign disinfection, empowering nations to remotely remove malware from infected hosts, offers a novel strategy in combating pervasive cyber threats.
This incident highlights the critical importance of global cooperation in cybersecurity and the necessity for continuous vigilance in an ever-evolving threat landscape. As the world becomes increasingly interconnected, resilient and adaptable cybersecurity measures are paramount in safeguarding our digital future.
