Latest Cyber-Attack Unveils PlugX Trojan Disguised as Legitimate Windows Debugger Tool
In recent cyber-attacks, the PlugX remote access trojan has been camouflaged as an open-source Windows debugger tool, x64dbg, to avoid security measures and acquire control of the targeted system.
According to a report published by Trend Micro researchers Buddy Tancio, Jed Valderama, and Catherine Loveria, x64dbg is an authentic open-source debugger tool for Windows that is usually utilized to scrutinize kernel-mode and user-mode code, CPU registers, and crash dumps.
PlugX, also known as Korplug, is a post-exploitation modular implant with numerous functions, including data exfiltration, and the ability to utilize the hacked machine for malevolent purposes. Although first documented in 2012, samples of the malware date back to February 2008.
The malware is known for using DLL side-loading as one of its primary methods to load a harmful DLL from a digitally signed software application, which, in this case, is the x64dbg debugging tool (x32dbg.exe). This technique utilizes the DLL search order mechanism in Windows to plan and execute a rogue payload by invoking a legitimate application.
The digital signature of x32dbg.exe can confuse some security tools since it is a legitimate application, enabling threat actors to avoid detection, maintain persistence, escalate privileges, and bypass file execution restrictions.
The hijacking of x64dbg to load PlugX was disclosed last month by Palo Alto Networks Unit 42. The researchers found a new variant of the malware that hides malicious files on removable USB devices to propagate the infection to other Windows hosts.
To ensure continued access, the malware achieves persistence through Windows Registry modifications and the creation of scheduled tasks, even after the system restarts.
Furthermore, Trend Micro's analysis of the attack chain disclosed the use of x32dbg.exe to deploy a backdoor, a UDP shell client that collects system information and awaits additional instructions from a remote server.
The researchers remarked that despite advancements in security technology, attackers will continue to use DLL side-loading since it exploits a fundamental trust in legitimate applications. This technique will remain viable as long as systems and applications continue to trust and load dynamic libraries, and as such, pose a persistent threat to organizations.
Thank you for reading our blog today. We hope you found the information helpful and informative. If you enjoyed this blog, follow us on Twitter, Instagram, Linkedin, GitHub, Website, and Youtube for more exciting content and updates. If you have any questions or comments, please feel free to reach out to us. We would love to hear from you. Don't forget to share this with your friends and family who may also find this information useful. Thank you for your support and stay tuned for more!