The Prevalence of PlugX and Hardening Against It

so yeah um my name's will Bailey thank you so much for coming um I drank quite a lot last night so this might be a bit Rusty um yeah so I just love to talk to you about some malware I've been seeing and doing a lot of research on recently uh called plug X is anyone come across plug X recently you see an infection yeah was it was it a worm or yeah is remnants of an old USB work yeah yeah prob um okay so I'm from axbridge has anyone heard of axbridge yeah it's a really cute sort of Med town about 14 minutes from here um got about 5 years experience in cyber now um I'm a spaghetti H

connoisseur and um I'm a terrible League of Legends player do they want to he play league yeah we've only played together haven't we so yeah I'm h. gold for a long time this awful um so more importantly um this is my dog aelia she's a border collie very friendly okay so on to the fun stuff what is plug X um it's a rat it's a remote access troen um utilized by China Nexus fat axes so really this has probably been developed by the Chinese nation state and then they used the Nexus threat taxes to to work to work through them um the main goal of plug X seems to be data extration um and it's useful to CCP to

gain like strategic advantages in like the military or you know or whatever government they're competing against so the main capability of plug X is uploading and downloading information um key logging work control and accessing remote command shop um um it was previously distributed through fishing emails so that would just be like a standard VBS attachment or a zip file.exe file um but it's about it came from like 2008 but in 2022 or early 2023 it started to well a new variant came across came along um which was a USB worm so this USB worm has been really really prevalent um it was first really reported by sofos in um March 2023 but like I said it bit around a few

months before then um this USB worm works by um exploiting benign processes benign third party applications which are expected to be um on uh sort of corporate govern govern related endpoint so it looks to exploit things like adob acrobat Steam and flash play I know I I say corporate endpoint steam doesn't really come into there so steam actually demonstrates that they're targeting civilians and their personal compus as well which is quite interesting and Flash Player which is weird because you think no one uses it but Flash Player is still being maintained and used in China I forget the exact reason why but it's still big over there so they're exploiting that as well and then they

will exploit those benign process is to perform a d side load which then sets up the command and control connection so you'll see this um command line here uh which says blah blah blah recycler dobin this recycler dobin is the directory which is set up on the USB flash drive which the files are moved into if if the if the infection is successful and then they are exfiltrated um out of um I'm really sorry like this image is really poor quality uh I couldn't find a way to upscale it but you'll see that on the infected USB device you have these two files here the recycler bin which is the directory which contains the files which are extrated and an in

file plug X tries really hard to um hide itself it actually uses Linux files um so it's a lot of the actual files which are used to propagate the infection and to spread across networks onto other USB devices are um invisible to the file explorer but if you if you see something like recycle bin recycl do bin on USB then it's going to be plug X almost certainly um okay so for threat actors like I said it's the the CCP the nation state seem to be the key threat actors here but they're they're working through the uh sort of Chinese Espionage groups so if you look up the F textes and like virus toast or something you're going to see

like panda panda panda panda so St Panda Dei dog Mustang Panda Mustang P Mustang Panda sorry there was also a Eastern European ransomware group called black pasta black p has anyone come across them um they were seen using plug x a couple of years ago I forget the actual attack they were using in um so it does get used by ransomware gangs as well but it seems to mostly derived from the CCP as of victims um I had a really hard time researching specific names of like companies and institutions that fell VI into plug X infections or attacks but this is just a list um so you can see it's it's all government related and the biotech

pharmaceutical and vaccine organizations they were targeted hard um when Co took off so in that period where the virus broke out and people were competing to develop the first vaccine uh these organizations are getting hammered with Co with um plug X so it really does show that it's the again the nation state who are um working here um I didn't start my timer am I doing okay for time yes yeah okay cool okay so this is a pretty simple chart we'll come back to it in a minute because there's a story as the how they got this information but this is just sort of this shows you the countries which are targeted most um with plug

X so to remediate and Harden against plug X um hash Bas blocking is really effective because plug X it aims to move throughout U you know throut Network onto different USB flash drives but it's replicating the same files over and over again so if you can get those Block indates in place whenever you see an infection um it quite quickly gets the spread of plug X um contained and again IP blocking as well because because it's using the same files it's trying to hook up to the same IPS in command and control servers over and over again so blocking IPS um is really effective EDR and AV I mean obviously um EDR especially with um realtime response

if you're if you're remoting onto a host trying to remediate a PL infection you'll probably struggle to actually find the files on the USB drive that are caused in the infection and again this is because it's um uh is using like Linux files and it's trying to hide itself from the file explorer you also have the possibility that by the time you jump onto the host the USB has been removed so you can't actually do anything on it um ASR rules so you can use things like Defender and InTune to block suspicious executables from being executed on flash drives um or if you're really cool you could just block USBS all together which is what I love to do

one day I always think of USBS as needles if you went to a doctors and for a blood test and that needle in through other people's arm you probably wouldn't want it going into your arm right so if if you know USB's been in five other people's laptops you don't want to go into your work machine um so that that's user awareness and then the the self-d deltion command so we'll come on to this next actually so this French security vendor I don't know how to pronounce their name I think it's Sequoia maybe they did a lot of research into plug X this year um and they uh underwent a sink huling operation which was really interesting

so they found this IP address here which was being used for plug X Commander control and they it was abandoned so they reached out to the cloud provider and for something like $7 a month they took ownership of the IP they set up a shell and then they had Telemetry over something like 2.5 million IPS which are beaking into that server so that's where this data came from this was taken over a 24-hour period on the um command control so say sink hold um they also identify that plug X has a self- deltion command which is this string here where this is encrypted into an rc4 payload and delivered from the from the commander control server to the

infected endpoint it will delete all of the register register Keys file directories and um just just pretty much all of the files which are used to uh maintain the infection but it doesn't again it doesn't really do anything on the USB itself it's just on the actual infected endpoint um so but because of like legal issues if seoa they're just a security vendor so they could actually start sending these self-d deltion commands out when they had control of the IPS or the shell because that would come under like computer misuse there's a lot of like legal turmoil around that however the French authorities and europol they used seo's research uh before the Olympics began this year and

they um started a plug X keup operation in France so they just identified as many French IPS as possible that were reporting into the aband C2 infrastructure and just sent the um the self- deltion commands in the incred of payloads and they remediated a ton of machines in front and now other companies uh sorry other nations are copying this research uh so Malta CER Portugal Slovakia Austria they're all working with europol to remove plug X from their uh countries so to conclude plug X remains an active threat to government organizations although the private sector should still consider plug X as a very real threat flash drive remain a prevalent attack Vector um based on the victims of plug X

it's quite obvious that it's the Chinese nation states that are um behind this malware um hash IP base blocking AV and EDR are a really reliable means of containing threats although they don't fully remediate it as it's really hard to actually remove the files from the USB so to actually clean up the USB you probably need to get your hands on it and either stand on it or reformat it in a lab or something like that so I think organizations should look to harden against plug X by implementing USB policies and strict user awareness any questions question so um can then you stop the infection by disabling auto runs on USBS on Windows yes so you can

push gr policy out yeah so I I think in in tune the the ASR rule would be blocking suspicious executables on a flash dve or something like that that that would that should block the infection

yeah [Music] um um were abandoned and the supp those IP addresses do you know why they was it all the servers that consulted that were abanded or yeah that's that's a good question um I guess the serers just you know they just had so many abuse scores against them that they just moved on to different infrastructure but again because the the files aren't replic the files is replicating themselves the IPS are still beaconing into it inspection is still there yeah

chology [Music]

sorry you say I didn't quite user

us yeah but term government level why you don't have blockchain techology not any of the other F or file to work in our so free of which means that need to have a kind

ofation oh right I see what you mean um I mean as as far from my experience with AVS and um you know EDR tools and and tress intelligence

yeah okay I I I don't know much about blockchain so I don't I don't know quite how to answer that question but I mean talking about different sovereignties I mean I know some organizations they do block you know connections from certain countries and sign from certain countries but also a lot of organizations are spread across the globe so you can't block every nation that makes sense sorry I yeah yeah anyone else think all good thank you very much thank you