of Plug X A remote access Trojan has been observed masquerading as an open source Windows debugger tool called x64dbg to attempt to circumvent security protections and gain control of target systems.
“This file is a legitimate open-source debugger tool for Windows and is typically used to examine kernel-mode and user-mode code, crash dumps, or CPU registers,” said a Trend Micro researcher. Buddy Tancio, Jed Valderama, and Catherine Loveria said: Report released last week.
PlugX, also known as Korplug, is a post-exploitation modular implant known, among other things, for its multiple functions such as data exfiltration and its ability to use compromised machines for malicious purposes. .
It was first documented ten years ago in 2012, but Trend Micro reports at the time dated early samples of this malware to February 2008. Over the years, PlugX has been used not only by cybercrime groups, but also by China-linked threat actors.
One of the primary methods used by malware is the DLL sideloading technique of loading malicious DLLs from a digitally signed software application, in this case the x64dbg debugging tool (x32dbg.exe).
Note that DLL sideloading attacks take advantage of Windows’ DLL search order mechanism to plant and launch legitimate applications that execute malicious payloads.
“A valid digital signature on the legitimate application x32dbg.exe confuses some security tools, allowing attackers to stay under the radar, maintain persistence, escalate privileges, and bypass file execution restrictions. We may be able to do that,” said the researchers.
Hijacking x64dbg to load PlugX was published last month by Palo Alto Networks Unit 42. Unit 42 has discovered a new variant of malware that hides malicious files on removable USB devices and spreads to other Windows hosts.
Is your business ready for the top SaaS 🛡️ security challenges of 2023? Learn how to tackle them – join the webinar today!
Persistence is achieved by modifying the Windows registry and creating a scheduled task to ensure continued access after system reboots.
Analysis of the attack chain by Trend Micro also revealed that x32dbg.exe was used to deploy a backdoor, a UDP shell client that gathers system information and waits for additional instructions from a remote server. .
“Despite advances in security technology, attackers continue to [DLL side-loading] It exploits the underlying trust in legitimate applications,” said the researchers.
“This technique is viable for attackers to deliver malware and access sensitive information as long as systems and applications continue to trust and load dynamic libraries.”
