PlugX USB Worm Spreads Globally via DLL Sideloading
Key Takeaways A new variant of the PlugX worm is rapidly spreading globally, leveraging USB drives and DLL sideloading for stealthy propagation. The malware has been detected across five continents,...
Key Takeaways
- A new variant of the PlugX worm is rapidly spreading globally, leveraging USB drives and DLL sideloading for stealthy propagation.
- The malware has been detected across five continents, indicating a wide geographical reach since its initial observation in August 2022.
- This variant employs a legitimate AvastSvc.exe executable to sideload a malicious DLL, executing the PlugX remote access Trojan (RAT) while appearing as an empty USB drive.
- Researchers link the campaign to PKPLUG, also known as Mustang Panda, a China-affiliated advanced persistent threat (APT) group.
PlugX USB Worm Exploits DLL Sideloading for Global Infiltration
A recently identified PlugX worm variant is actively exploiting USB drives to achieve widespread global propagation, silently breaching organizational perimeters across continents. This sophisticated malware has been observed spanning at least ten time zones, indicating a significant and rapid distribution.
Table Of Content
The worm first appeared in Papua New Guinea in August 2022. By January 2023, it resurfaced in both Papua New Guinea and Ghana, locations separated by approximately 10,000 miles. Subsequent infections were confirmed in Mongolia, Zimbabwe, and Nigeria, establishing this as one of the most geographically expansive malware outbreaks in recent history.
Advanced Tactics and Link to Notorious APT
PlugX, a well-established remote access Trojan (RAT) of Chinese origin, has been a staple in threat actor arsenals for years. However, this particular variant distinguishes itself through a novel payload and its connection to a command-and-control (C2) server not previously strongly associated with the PlugX family.
The worm’s primary evasion technique is DLL sideloading, a method where a legitimate application is manipulated into loading a malicious library instead of its intended one. This allows the worm to execute its code covertly, bypassing immediate detection.
Sophos X-Ops researchers, led by analyst Gabor Szappanos, uncovered this new variant following a CryptoGuard alert, likely triggered by an attempted data exfiltration. The infection package comprises a legitimate AvastSvc.exe executable, vulnerable to DLL sideloading; a malicious DLL named wsc.dll; and an encrypted payload file. These components collaboratively deploy the PlugX backdoor onto compromised systems.
The C2 activity was traced to the IP address 45.142.166[.]112. This IP was noted in a 2019 Unit 42 report as loosely connected to PlugX but lacked a direct link to a specific threat actor at the time. Sophos researchers now assert that the observed techniques align with the known operational patterns of PKPLUG, also known as Mustang Panda, a China-linked advanced persistent threat (APT) group. This finding significantly strengthens the connection between the IP address and the threat actor behind the current campaign.
DLL Sideloading and USB-Based Evasion
The infection chain of this PlugX variant is meticulously designed for stealth. When the worm copies itself to a USB drive, it utilizes specific mutex strings—USB_NOTIFY_COP and USB_NOTIFY_INF—to manage its operations. Post-copy, the USB drive appears completely empty within standard Windows Explorer views. Victims instead see a shortcut file disguised as another removable disk, complete with an identical drive icon.
Clicking this deceptive shortcut executes the CEFHelper executable, which is in fact the renamed AvastSvc.exe file. This renaming to mimic a legitimate Adobe process is a deliberate tactic to avoid suspicion. All other malicious files and directories are assigned hidden and system attributes, rendering them invisible by default in typical file listings.
The worm stores all its components within a directory named RECYCLER.BIN and drops a desktop.ini file that configures Windows to treat this folder as an actual Recycle Bin. This allows legitimate deleted files from the user’s hard drive to appear within, further obscuring the worm’s presence. Inside RECYCLER.BIN, the malware targets common document types, including .doc, .docx, .xls, .xlsx, .ppt, .pptx, and .pdf files, encrypts them, and saves them with base64-encoded filenames in preparation for exfiltration.
What You Should Do
- Organizations must treat USB drive connections as a significant security risk, especially in environments handling sensitive data.
- Disable AutoRun and AutoPlay functionalities for all removable media as a foundational security measure.
- Configure systems to display hidden and system files by default, which can help in identifying suspicious directories like RECYCLER.BIN.
- Implement robust endpoint protection capable of detecting and preventing DLL sideloading attempts.
- Continuously monitor outbound C2 traffic for anomalous connections to mitigate potential data exfiltration.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.