A newly discovered variant of the PlugX USB worm has triggered localized outbreaks across five geographically scattered countries, Papua New Guinea, Ghana, Mongolia, Zimbabwe, and Nigeria, raising alarms about a Chinese state-linked APT group deploying decade-old infection techniques with dangerous new precision.
Sophos researchers have identified a new variant of the PlugX Remote Access Trojan (RAT) spreading through infected USB drives across multiple continents, marking a significant escalation in scope and stealth for this well-known Chinese-origin malware.
After first appearing in Papua New Guinea in August 2022, the worm resurfaced in January 2023, simultaneously in Papua New Guinea and Ghana, two nations separated by over 10,000 miles, before additional infections were confirmed in Mongolia, Zimbabwe, and Nigeria.
What makes this variant particularly alarming is its combination of a new payload, a previously overlooked command-and-control (C2) server connection, and a refined DLL sideloading mechanism that can evade most traditional endpoint defenses.
Sekoia researchers, who later sinkholed the C2 infrastructure, found between 90,000 and 100,000 unique IP addresses sending PlugX-distinctive requests daily, with approximately 2.5 million IP addresses infected across more than 170 countries.
DLL Sideloading at Its Most Deceptive
The infection mechanism is a textbook yet dangerously refined example of DLL sideloading. The worm deploys a clean, legitimate Avast executable (AvastSvc.exe) that has been manipulated to load a malicious DLL (wsc.dll) alongside an encrypted .dat payload.
The executable is renamed within the malware’s execution path to mimic an Adobe process called CEFHelper.exe, further obscuring its true identity from analysts and automated scanners.
Upon execution, the malware runs a series of system reconnaissance commands. arp -a, ipconfig /all, systeminfo, tasklist /v, and netstat -ano harvesting a complete fingerprint of the victim’s network environment.
This information is then saved to a file whose name (c3lzLmluZm8) is simply the base64-encoded form of sys.infoa deceptive but simple obfuscation tactic.
The five core file components identified by Sophos researchers include:
c3lzlmluzm8— Collected system information file stored in base64-obfuscated formtmp.bat— The batch script that runs recon commands and self-deletes upon completionavastauth.dat— The encrypted PlugX payload (version labeled20190301h)cefhelper.exe— The renamed legitimate Avast executable (SHA256:85ca20...d9654)wsc.dll— The malicious sideloaded DLL (SHA256:352fb4...cfbb9a)
The PlugX payload configuration reveals a mutex name of cUUEdKgjnOOOrpkUEjHp and a hardcoded C2 address of 45.142.166[.]112.
USB Drive: The Ultimate Trojan Horse
The worm’s USB propagation capability is where this variant truly distinguishes itself. When a new USB drive is connected to an infected machine, PlugX copies itself to the removable media within milliseconds, using mutex flags (USB_NOTIFY_COP_%ws and USB_NOTIFY_INF_%ws) to manage the copy process and prevent duplicate infections.
The infection hides itself from the victim using several layered deceptions:
- Explorer camouflage: The USB drive appears empty in Windows Explorer, showing only a Windows shortcut file styled with a removable drive icon. Clicking it silently executes the
CEFHelper.exepayload. - Hidden and system attributes: All malicious files and directories carry these attributes, rendering them invisible in default file listing views.
- RECYCLER.BIN masquerade: Stolen files are stored in a directory named
RECYCLER.BINthe NTFS-era predecessor of Windows’ modern$Recycle.bin. A crafteddesktop.inifile tricks Windows into treating it as an actual Recycle Bin, displaying the victim’s own deleted files alongside the stolen data to avoid suspicion.
After collection, PlugX targets .doc, .docx, .xls, .xlsx, .ppt, .pptx, and .pdf files under 300MB, encrypts them, stores them in the RECYCLER.BIN directory with base64-encoded filenames, and prepares them for exfiltration. Sophos’ CryptoGuard V5 detected and blocked the exfiltration attempt before the data left the environment.
Mustang Panda’s Fingerprints All Over the Campaign
The C2 IP address 45.142.166[.]112 surfaced in a 2019 Palo Alto Unit 42 report as “other PlugX” at the time, not firmly tied to any known threat actor.
Sophos researchers now confirm that all Tactics, Techniques, and Procedures (TTPs) observed during this investigation align squarely with PKPLUG, also known as Mustang Panda (tracked under aliases including Earth Preta, RedDelta, Camaro Dragon, Bronze President, and Twill Typhoon), the Chinese state-linked APT group that has wielded PlugX as a primary tool since 2008.
This strengthens what was previously a speculative link between the IP address and the threat actor, and corroborates broader intelligence suggesting that Mustang Panda added USB worm capabilities to PlugX in 2020, specifically to penetrate air-gapped network systems deliberately disconnected from the internet for security purposes.
The group’s targeting of five strategically diverse nations across Africa, Southeast Asia, and the Pacific suggests an intelligence-gathering operation with wide geopolitical objectives.
Why USB Worms Are Making a Comeback
USB-based malware was considered largely obsolete after high-profile incidents, such as the Stuxnet attack, forced defenders to tighten removable media policies over a decade ago.
However, as security teams relaxed these policies and USB drives regained utility in enterprise and government environments, APT groups recognized a re-emerging attack surface.
Palo Alto Networks Unit 42 independently confirmed in January 2023 that a separate PlugX sample was simultaneously found infecting USB devices in ways entirely invisible to Windows’ native file system.
The geographic spread of this campaign, spanning 10 time zones and three continents, with no obvious cultural or political commonality, strongly suggests multiple patient zeros in different regions, potentially from independent USB-to-USB transmission chains that have been silently propagating since 2020.
| Artifact | Value |
|---|---|
| Clean Executable | AvastSvc.exe / CEFHelper.exe – SHA256: 85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654 |
| Malicious DLL | wsc.dll -SHA256: 352fb4985fdd150d251ff9e20ca14023eab4f2888e481cbd8370c4ed40cfbb9a |
| Payload Archive | AvastSvcpCP(2).zip -SHA256: e07d58a12ceb3fde8bb6644b467c0a111b8d8b079b33768e4f1f4170e875bc00 |
| C2 Server | 45.142.166[.]112 |
| Mutex | cUUEdKgjnOOOrpkUEjHp |
| Install Directory | AvastSvcpCP |
Mitigation Recommendations
- Disable AutoRun/AutoPlay for all removable media via Group Policy
- Deploy endpoint solutions with behavioral detection capable of identifying DLL sideloading (e.g., CryptoGuard-style exfiltration alerts)
- Enable display of hidden and system files on all managed endpoints to expose concealed malware artifacts
- Monitor C2 callbacks and block the IP range associated with
45.142.166[.]112 - Audit legitimate executables (especially security vendor binaries like Avast) for unexpected DLL loads
- Use trusted file explorers such as Total Commander that bypass Windows shell obfuscation tricks
Frequently Asked Questions (FAQs)
Q1: What is the PlugX USB format, and who is behind it?
PlugX is a Chinese-origin RAT used since 2008, primarily attributed to the Mustang Panda (PKPLUG) APT group for cyber espionage via DLL sideloading and USB propagation.
Q2: How does the new PlugX variant spread across USB drives without being detected?
It hides all malicious files using hidden/system attributes and disguises itself as an empty drive with a shortcut icon, making the infection invisible to default Windows Explorer views.
Q3: Which countries have been infected by this new PlugX variant?
Confirmed infections span Papua New Guinea, Ghana, Mongolia, Zimbabwe, and Nigeria, with broader sinkhole data showing over 2.5 million infected IPs across 170+ countries.
Q4: Can standard antivirus software detect and remove this PlugX USB worm variant?
Sophos CryptoGuard V5 successfully detected and blocked the exfiltration attempt, though the worm’s heavy obfuscation means many standard AV tools may miss it without behavioral detection capabilities.
Site: thecybrdef.com
About the Author
