{"id":21445,"date":"2023-03-09T05:20:57","date_gmt":"2023-03-09T13:20:57","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/03\/09\/news-15176\/"},"modified":"2023-03-09T05:20:57","modified_gmt":"2023-03-09T13:20:57","slug":"news-15176","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/03\/09\/news-15176\/","title":{"rendered":"A border-hopping PlugX USB worm takes its act on the road"},"content":{"rendered":"

Credit to Author: Gabor Szappanos| Date: Thu, 09 Mar 2023 11:00:02 +0000<\/strong><\/p>\n

\n

Our researchers are currently seeing localized outbreaks of a new variant of the PlugX USB worm \u2013 in locations nearly halfway around the world from each other. After first drawing attention to itself in Papua New Guinea in August 2022, the new variant appeared in January both in the Pacific Rim nation and 10,000 miles away in Ghana. Additional infections appeared in Mongolia, Zimbabwe, and Nigeria. The novel aspects of this variant are a new payload and callbacks to a C2 server previously thought to be only tenuously related to this worm.<\/p>\n

\"A<\/a><\/p>\n

Figure 1: An unusual distribution of infections is the hallmark of a new PlugX variant that relies on DLL sideloading to propagate<\/em><\/p>\n

Everything Old Is New Again<\/strong><\/p>\n

PlugX is fairly common backdoor malware (a RAT, remote access Trojan) of Chinese origin, one that relies on DLL sideloading to do its dirty work. We at Sophos have been writing about it for years, most recently in November<\/a>. Even the USB-aware version, which can both spread via USB and grab information from air-gapped networks via USB, has been on defenders\u2019 radar for several years. However, new variants have turned up regularly in recent months, sometimes in remarkably far-flung locations.<\/p>\n

Our first look at the new variant of the worm came from a CryptoGuard alert likely triggered by data exfiltration. (We\u2019ve put all IoCs for this incident on our GitHub instance<\/a>.) The infection comprises a clean executable (AvastSvc.exe) susceptible to DLL sideloading; multiple instances of a malicious DLL (wsc.dll) sideloaded into the clean loader; an encrypted .dat payload; and (in a directory called RECYCLER.BIN) a collection of stolen, encrypted files with names obfuscated in base64:<\/p>\n

Mitigation\u00a0\u00a0 CryptoGuard V5  Path:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 C:ProgramDataAvastSvcpCPAvastSvc.exe (clean Avast app)  Hash:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654<\/pre>\n
\"\"<\/a>
Figure 2: Clean AvastSvc.exe executable<\/em><\/figcaption><\/figure>\n
In our detailed behavioral log for the incident, we noted the following:<\/p>\n
Command line:\u00a0\u00a0\u00a0 RECYCLER.BIN1CEFHelper.exe 142 60  SHA1:\u00a0\u00a0 049813b955db1dd90952657ae2bd34250153563e  SHA256: 85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654<\/pre>\n
“CEFHelper\u201d is the name of an Adobe process, but that\u2019s not what this file is \u2013 as shown by comparing this SHA256 hash to the hash shown in our previous code snippet (just above Figure 2) for the subverted clean executable, they\u2019re the same file, renamed by the malware. When the file executes, the AvastSvc executable is once again visible:<\/p>\n
\"commandLine\" : \"C:\\ProgramData\\AvastSvcpCP\\AvastSvc.exe 983\",   \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"commandLine\" : \"C:\\Windows\\system32\\cmd.exe \/c D:\\RECYCLER.BIN\\143CE844B89AC3D0\\tmp.bat\",  \"commandLine\" : \"arp\u00a0 -a \",  \"commandLine\" : \"ipconfig\u00a0 \/all \",  \"commandLine\" : \"systeminfo\u00a0 \",  \"commandLine\" : \"tasklist\u00a0 \/v \",  \"commandLine\" : \"netstat\u00a0 -ano \",<\/pre>\n
A Funky Five<\/strong><\/p>\n
We saw five file names associated with the infection at this stage. In order, these are the information that the worm collects, the batch file that actually collects the information, and three sideloading components:<\/p>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"path\" : \"d:\\recycler.bin\\143ce844b89ac3d0\\c3lzlmluzm8\",   \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"path\" : \"d:\\recycler.bin\\143ce844b89ac3d0\\tmp.bat\",   \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"path\" : \"d:\\recycler.bin\\1\\avastauth.dat\"   \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"path\" : \"d:\\recycler.bin\\1\\cefhelper.exe\",   \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"path\" : \"d:\\recycler.bin\\1\\wsc.dll\",<\/pre>\n
We\u2019ll discuss those files at greater length momentarily. We saw three hashes \u2013 or, since the cefhelper.exe and avastsvc.exe file are the same file and have identical hashes, one could say we saw two hashes and one doppelg\u00e4nger:<\/p>\n
d:recycler.bin1cefhelper.exe : 85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654  c:programdataavastsvcpcpavastsvc.exe : 85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654  c:programdataavastsvcpcpwsc.dll : 352fb4985fdd150d251ff9e20ca14023eab4f2888e481cbd8370c4ed40cfbb9a<\/pre>\n
Shady Mustang, Revealed Panda?<\/strong><\/p>\n
We then saw C2 activity reaching out to multiple variations on the IP address 45.142.166[.]112. This IP address was mentioned in in a 2019 Unit 42 blog post<\/a> as \u201cother PlugX,\u201d not at that point tied directly to PKPLUG (aka Mustang Panda), the threat actor associated most closely with this malware. At the time, Unit 42\u2019s researchers described this finding as a RAT previously seen post-exploitation in an unrelated infection. Our analysis indicates that all methods seen in use during our investigation align with what is known about the PKPLUG \/ Mustang Panda actor, thus strengthening the link between this IP address and the threat actor.<\/p>\n
The compressed parent as seen on VirusTotal:<\/p>\n
e07d58a12ceb3fde8bb6644b467c0a111b8d8b079b33768e4f1f4170e875bc00: AvastSvcpCP(2).zip<\/pre>\n
The contents of that file when unzipped look familiar:<\/p>\n
432a07eb49473fa8c71d50ccaf2bc980b692d458ec4aaedd52d739cb377f3428 *AvastAuth.dat  85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654 *AvastSvc.exe  e8f55d0f327fd1d5f26428b890ef7fe878e135d494acda24ef01c695a2e9136d *wsc.dll<\/pre>\n
The payload is PlugX. This version of the payload is called 20190301h:<\/p>\n
\"Screen<\/a><\/p>\n
Config data:  Installation directory: AvastSvcpCP  Mutex name: cUUEdKgjnOOOrpkUEjHp  C2 server: 45.142.166[.]112<\/pre>\n
This PlugX malware has a long history and has been dissected in other industry writeups, such as Avira\u2019s<\/a> and QiAnXin’s<\/a> analyses. In this coverage we\u2019ll mainly focus on the USB worm functionality.<\/p>\n
It uses mutex when copying files to available removable media, using these template strings:<\/p>\n
USB_NOTIFY_COP_%ws  USB_NOTIFY_INF_%ws<\/pre>\n
It then uses a couple of tricks to hide its malicious content from the casual observer. First, the infected removable media will seem to be empty. In Windows Explorer it would appear that the drive only contains another removable drive.<\/p>\n
\"A<\/a><\/p>\n
Figure 3: A suspiciously tidy view from inside Explorer<\/em><\/p>\n
In reality the displayed item is not actually a drive but a Windows shortcut file, using an icon resembling the one used for removable media. Should the victim click on this file, it runs the CEFHelper executable we noted above:<\/p>\n
\"Properties<\/a><\/p>\n
Figure 4: The \u201cremovable disk\u201d is revealed as the questionable CEFHelper executable<\/em><\/p>\n
The other files and directories have the hidden and system attributes set, so they will not be visible by default in the file listing. After specifically enabling the display of hidden and system files, we can see the rest of the content (and also see the \u201cRemovable Disk(1 TB) item correctly shown as a mere shortcut):<\/p>\n
<\/a><\/p>\n
Figure 5: With display enabled for hidden and system files, the \u201ctidy\u201d view in Figure 4 changes<\/em><\/p>\n
The files copied by the backdoor are in the RECYCLER.BIN directory \u2013 for which the worm, in another obfuscation maneuver, drops a desktop.ini file that associates the directory with the actual Recycle function. (RECYCLER is the NTFS-era name for the thing that is $Recycle.bin on modern Windows systems; NTFS systems include Windows 2000, NT, and XP.) This causes Windows to treat the directory as if it really is a Windows Recycle Bin, and files deleted by the user will be displayed there \u2013 not even those from the USB drive, but from the user\u2019s actual hard drive.<\/p>\n
\"True<\/a><\/p>\n
Figure 6: Contents of the system\u2019s actual trash, displayed in \u201crecycler.bin\u201d<\/em><\/p>\n
Again, specific commands in the Windows command prompt reveal the real content of the RECYCLER.BIN directory:<\/p>\n
\"A<\/a><\/p>\n
Figure 7: Once again, hidden files are revealed<\/em><\/p>\n
Alternatively, a less easily deceived file explorer, such as Total Commander, can be used to browse the content. Both methods show that the RECYCLER.BIN directory actually contains two subdirectories:<\/p>\n
\"The<\/a><\/p>\n
Figure 8: The same directory viewed through Total Commander<\/em><\/p>\n
The directory named 1 contains the DLL sideloading components we\u2019ve previously seen:<\/p>\n
\"Contents<\/a><\/p>\n
Figure 9: Delving into the directory called 1<\/em><\/p>\n
The other directory, which has a random name, contains the victim\u2019s exfiltrated files. The first image below is the intermediate state. Note the tmp.bat file present:<\/p>\n
\"The<\/a><\/p>\n
Figure 10: The other directory, where the victim\u2019s belongings are stashed<\/em><\/p>\n
The tmp.bat file collects the system info and saves it to the first seemingly randomly named file in the directory shown above (in the image, the file that\u2019s over 1GB in size). That file name is not truly random \u2013 it is the base64 encoded form of sys.info.<\/em><\/p>\n
When the batch file has finished its collection, it removes itself. All that\u2019s left are the \u201cc3lzLmluZm8\u201d file with the system info and the collected files.<\/p>\n
\"The<\/a><\/p>\n
Figure 11: The other directory once more, after the batch file has finished its dirty work and removed itself<\/em><\/p>\n
PlugX collects .doc, .docx, .xls, .xlsx, .ppt, .pptx and .pdf files (if the individual file size is not larger than 314572800 bytes), likely for exfiltration. It saves them in encrypted form to the RECYCLER.BIN as shown above. The filenames, including the path indicator, are converted to base64 form. For example, in the Figure 11 image, the two file names decode to:<\/p>\n
Documents_coolclient.docx  Documents_serverdll.docx<\/pre>\n
The content of each file is also, of course, encrypted:<\/p>\n
\"A<\/a><\/p>\n
Figure 12: The victim\u2019s belongings, encrypted<\/em><\/p>\n
As noted above, Sophos detected and blocked the attempted exfiltration. We\u2019ll add the IoCs discussed in this thread to our Github repository<\/a>.<\/p>\n
As for the use of USB worms in 2023, they were certainly more common a decade or two ago, when a threat actor could compromise the Pentagon by dropping<\/a> a thumb drive or two in the right parking lot. However, as defenders alerted users to the potential attack vector, and other method of file storage and transmission became more popular, this technique was abandoned. Now APT groups are re-adding this method as an effective infection and exfiltration method. Once again an old technique resurfaces and makes new waves — this time causing far-flung local outbreaks.<\/p>\n
 <\/p>\n<\/p><\/div>\n
http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
<\/p>\n
Credit to Author: Gabor Szappanos| Date: Thu, 09 Mar 2023 11:00:02 +0000<\/strong><\/p>\n
Borne aloft by DLL sideloading, a far-flung infection touches ten time zones <\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[27897,129,20692,27030,16771,28826],"class_list":["post-21445","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-dll-side-load","tag-featured","tag-plugx","tag-sophos-x-ops","tag-threat-research","tag-usb-worm"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21445","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=21445"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21445\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=21445"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=21445"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=21445"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}