016. Good and Bad USB Drives

Hello everyone! French authorities and the FBI removed PlugX malware from more than 4 200 compromised devices. So, let's talk a bit about not so common initial access techniques leveraged by one of the group operating it. Yes, I'm talking about Mustang Panda (Horned Werewolf or Twill Typhoon) again.


We already got used to phishing emails, exploiting public-facing applications, abusing external remote services and even supply-chain attacks. But what about USB drives? Yes, that's one of the ways how activity cluster mentioned above distributed PlugX variant.

Once a USB drive is inserted to an infected computer, the malware creates a hidden folder structure and copies PlugX components to it. Also it creates an LNK file pointing to a legitimate executable used for side-loading. Details on the infection process can be found, for example, in this report.

Ok, what to look for? For example:

  • Executions from USB drives, especially from suspicious locations, like RECYCLER.BIN folder
  • Artifacts in UserAssist related to malcious LNK files located on USB drives
  • Legitimate executable files in unexpected locations (used for side-loading)
See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!