- Don't sleep on this TCL TV in 2025: This new Mini LED model gives OLED a close fight
- I wore Whoop's latest health tracker - it gave me the best of Oura Ring, Apple Watch, and more
- I've yet to find a Lenovo laptop that delivers more power, battery, and comfort than this
- If you own an AirTag, you need these accessories to maximize its potential
- LockBit Ransomware Gang Breached, Secrets Exposed
Black Basta Deploys PlugX Malware in USB Devices With New Technique
An operation responding to a Black Basta ransomware compromise has revealed the use of a new PlugX malware variant that can automatically infect any attached removable USB media devices.
Palo Alto Networks Unit 42 shared the findings with Infosecurity earlier today, adding that the new PlugX variant is “wormable” and can infect USB devices in such a way that it hides itself from the Windows Operating File System.
“This PlugX malware also hides attacker files in a USB device with a novel technique, which makes the malicious files only viewable on a *nix OS or by mounting the USB device in a forensic tool,” reads a Unit 42 advisory about the new threat.
“Because of this ability to evade detection, the PlugX malware can continue to spread and potentially jump to air-gapped networks.”
Unit 42 also added that the team had found a similar variant of PlugX that can infect USB devices and copy all Adobe PDF and Microsoft Word files from the host. It then moves the copies into an automatically created, hidden folder on the USB device.
From a technical standpoint, PlugX is a second-stage implant, which according to the security researchers, is used by multiple groups with a Chinese nexus as well as several cybercrime groups.
“It has been around for over a decade and has been observed in some high-profile cyber-attacks, including the U.S. Government Office of Personnel Management (OPM) breach in 2015,” reads the Unit 42 advisory. “It is a modular malware framework, supporting an evolving set of capabilities throughout the years.”
The connection between the malware tool and Black Basta derives from the fact that the Brute Ratel post-exploitation tool used in these attacks is the same badger payload previously reported by Trend Micro and associated with the ransomware group.
Another malware tool frequently used by Black Basta is Qakbot, which the threat actor reportedly used in 2022 to create a first point of entry and move laterally within organizations’ networks.
