March 26, 2023

Researchers have discovered a new method of spreading the PlugX malware, which uses a flaw in Windows File Explorer. As a result, the malware operates completely invisible to the user.

windows laptop usb key malware

If viruses stored on external media have been swarming for more than 35 years, a new method of spreading the PlugX malware intended to infect Windows PCs has just been discovered. This dissemination campaign is about fifteen years old and was allegedly initiated by a group of Chinese hackers. But it has evolved so much over the years that it is now impossible to determine the origin of this new attack.

We owe this new discovery to the Unit 42 team, Palo Alto Networks researchers specializing in security. The malware in question infects USB keys and all removable media. But the big novelty lies above all in its ability to be almost undetectable, since it uses a “loophole” in the management of Windows files. And even the recent version of Windows 11 bears the brunt of this kind of bug.

Read also : beware of this new Windows malware, it attacks an unusual place in the system!

This malware infects Windows PC keys due to a flaw in Explorer

If the PlugX malware is so well hidden that it is impossible to detect its presence on a USB key. It is necessary to go through a Unix-based OS or by mounting the key via a specialized tool. How does it manage to make itself invisible to Windows? The technique used is relatively simple, but effective: it masks files using a certain unicode characterwhich has the hexadecimal code 00A0 (which corresponds to a non-breaking space).

The problem is that neither Windows File Explorer nor the command prompt are able to process this kind of character correctly. Therefore, they cannot display the exact tree structure of the USB key. Some files are therefore invisible to the user. Finally and to complete it all, a Windows shortcut with the extension .lnk is created at the root of the USB device. To better install itself in the system, the malware registered in the x32bridge.dll library loads x32bridge.dat. Along the way, it creates a directory called RECYCLER.BIN, as well as a hidden file DESKTOP.INI.

Windows PlugX
PlugX mishandles a Unicode character to better hide itself in Explorer (capture credit: Unit 42).

What are the risks with PlugX?

Once the system is corrupted, the malware continuously monitors any new USB device that may be inserted into the PC. In order of course to extend its field of action. But what are the risks of PlugX, ultimately? If Unit 42 does not dwell on its possible misdeeds, since that is not its objective, we know that the malware is one of the most virulent there is. This “family” of malware is thus capable of capturing everything that happens on the screen, recording keystrokes and mouse movements, managing all system processes, and creating new entries in registry or restart the system.

Finally, note that the researchers have also discovered a variant of the malware, which targets PDF and Word files. Finally, we can never repeat it enough: to protect you, there is nothing like a security solution. Or failing that, Windows Security (also called Windows Defender), which is offered by default in Windows 10 or Windows 11.

Source : Unit 42

Leave a Reply

Your email address will not be published.

%d bloggers like this: