- The "vulnerability" is not a vulnerability. It is how desktop.ini works. desktop.ini tells Explorer what properties the folder should contain. This may include things like icon (Logo), folder type (FolderType), name (LocalizedResourceName), and many more.
One of these properties includes CLSID. You can tell Explorer what object the folder should be interpreted as by specifying the corresponding CLSID. For example, {323CA680-C24D-4099-B94D-446DD2D7249E} would correspond to the Favorites folder in Explorer.
The threat group, along with MANY OTHERS, have used this quirk with Explorer to cause Explorer to redirect the folder content to other places, including Favorites, Recycle Bin, and in this case, ActiveX Cache Folder. This is not exclusively used by MP, and has been documented for well over 20 years!
- The research suggests that MP has only recently started using this trick - this is also untrue. They have been known to use this trick since well before PlugDisk became a thing. In fact, they started using this trick all the way back in the early days of late 2010s or even earlier.
- The research mentions that "When files are extracted from compressed RAR files, they are hidden from the user. If the compressed files are extracted into a folder, the folder appears empty in the Windows Explorer GUI."
Yes, because RAR and 7z respects the file attributes created from the source filesystem. In other words, when you compress a folder as System + Hidden, it is going to keep the same S+H attribute when the folder is extracted. Naturally, the user who does not have "Show hidden files" enabled and "Hide protected operating system files" disabled aren't going to see the files.
The research firm also attempted to enumerate the directory via `dir` and it showed no results - because you DIDNT' TELL dir to show hidden files with the `/A:` switch.
- My biggest problem with this research is the sample they linked in the study. The sample they provided is clearly one packed by the victim in Vietnam, and is not used as an initial access. Whilst they never suggested it was used as IA, this is still an incredibly strange example to use because,
1. The sample contains possibly sensitive information (sales data and customer names) from the affected Vietnam firm.
2. The sample does not showcase how PlugDisk could have functioned as-is.
3. The narrative from the research suggested the "vulnerability" all came from this bad RAR file when that is not the case (more on that later).
- The folder you see within the Docusment folder were created by PlugDisk - this folder structure is never used as the first infection factor, nor do they exist on the infected USB drives. This folder is most commonly found in %public%\Publics, but this path can be defined with the PlugDisk config. The desktop.ini is also created by PlugDisk - it does not magically come shipped inside an RAR file.
The whole premise of the research is what ticked me off. This would have been perfectly fine if they were talking about how PlugDisk uses desktop.ini to hide its files, which whilst it wouldn't be anything new, it wouldn't hurt for more people to be more aware of it. Instead, they are going along with the narrative that this was somehow created with a combination of RAR, attrib -s -h, and somehow the victim created RAR file is at fault here.
