A wormable version of the PlugX USB malware.

Sophos is tracking a new version of the PlugX USB Trojan. The researchers say the “novel aspects of this variant are a new payload and callbacks to a C2 server previously thought to be only tenuously related to this worm.”

PlugX campaign expands to Africa.

PlugX is a known malware variant that can spread via USB sticks, which can sometimes allow it to access air-gapped systems. The malware is currently spreading in African countries, with infections observed in Ghana, Zimbabwe, and Nigeria. The new variant was also observed in Papua New Guinea and Mongolia. Sophos believes this campaign is linked to the Chinese APT Mustang Panda, which has been known to use the malware in the past.

Sophos comment.

Gabor Szappanos, threat research director at Sophos, stated:

“Back in November 2022, we reported on a different cluster of active adversary activity targeting government organizations in Southeast Asia that was also taking advantage of this ‘retro’ method of spreading via USB drives. This worm then appeared thousands of miles away in Africa a month later. Now, this latest cluster of USB worm activity is hopping across three different continents. We don’t typically think of removable media as being particularly ‘mobile,’ especially when compared to internet-based attacks, but this method of dispersion has proved to be highly effective in this part of the world. What’s more, there are multiple threat actors with vastly different objectives taking advantage of USB worms; it appears that this particular activity we’ve tracked is linked to MustangPanda. It's too soon to say that USB worms are making a comeback, but it’s certainly no longer a technique relegated to a decade or two ago. Some of today’s most well-known threat actors are taking advantage of USBs to spread malware.”