USB malware is not dead. Crazy, right? Researchers from Palo Alto Networks Unit 42 found a variant of malware that has been around for over a decade while they were responding to a ransomware attack. Now the team later discovered a variant of this malware on VirusTotal as well. The malware in question is called PlugX, and since 2008, it has become a widespread tool for attacks.
This newer variant can be used to make a USB flash drive malicious, allowing it to spread infections to any Windows machines it connects to, and potentially remain undetected long enough to spread to air-gapped machines by way of infecting other USB drives. Unit 42 found that this malware loads using a Windows debugging tool. The malware is hidden on a USB drive by adding a Unicode character. A Windows shortcut, which is a .lnk file, is added to the root folder in order to execute the code needed to load the malware.
And according to the team, the shortcut path to the malware contains a Unicode white space character, which is a space that does not cause a line break, but it is not visible via Windows Explorer. This is called a non-breaking space if you want to google it, and it is visible on Linux though. From here, a desktop.ini file is created, and it just chills in that hidden directory. It is used to specify that shortcut file icon in the root directory, and a recycle bin directory icon is also added to root, but that is actually used to host the malware. So when a user clicks on the shortcut file, which looks like a drive icon, and it has the same name as the USB drive, that triggers the malware to launch Explorer, show all the normal looking files on the drive, and infect the device.
Now Windows Explorer does not show hidden files by default, and even if it does, the malware is hidden inside a recycle bin looking folder, and they still don’t get displayed even if that setting is disabled. So the best way to see if a drive is infected is by checking it with a forensics tool, or viewing its contents in a UNIX operating system.