PlugX Trojan Disguised as Legitimate Windows Debugger Tool in Latest Attacks

06 March 2023

The PlugX remote access trojan has been observed masquerading as an open source Windows debugger tool called x64dbg in an attempt to circumvent security protections and gain control of a target system.

 

"This file is a legitimate open-source debugger tool for Windows that is generally used to examine kernel-mode and user-mode code, crash dumps, or CPU registers," researchers published last week.

 

PlugX, also known as Korplug, is a post-exploitation modular implant, which, among other things, is known for its multiple functionalities such as data exfiltration and its ability to use the compromised machine for nefarious purposes.

 

Although first documented a decade ago in 2012, early samples of the malware date as far as February 2008, according to a report at the time. Over the years, PlugX has been used by threat actors with a Chinese nexus as well as cybercrime groups.

 

One of the key methods the malware employs is a technique DLL side-loading to load a malicious DLL from a digitally signed software application, in this case the x64dbg debugging tool (x32dbg.exe).

 

It's worth noting here that DLL side-loading attacks leverage the DLL search order mechanism in Windows to plant and then invoke a legitimate application that executes a rogue payload.

"Being a legitimate application, x32dbg.exe's valid digital signature can confuse some security tools, enabling threat actors to fly under the radar, maintain persistence, escalate privileges, and bypass file execution restrictions," researchers said.

The hijacking of x64dbg to load PlugX was disclosed last month by researcher, which discovered a new variant of the malware that hides malicious files on removable USB devices to propagate the infection to other Windows hosts.

Persistence is achieved via Windows Registry modifications and the creation of scheduled tasks to ensure continued access even after system restarts.

Researcher analysis of the attack chain also revealed the use of x32dbg.exe to deploy a backdoor, a UDP shell client that collects system information and awaits additional instructions from a remote server.

"Despite advances in security technology, attackers continue to use [DLL side-loading] since it exploits a fundamental trust in legitimate applications," the researchers said.

"This technique will remain viable for attackers to deliver malware and gain access to sensitive information as long as systems and applications continue to trust and load dynamic libraries.

 

Related News

New Apple Zero-Days Exploited to Target Egyptian ex-MP with Predator Spyware

25 Sep 2023

The three zero-day flaws addressed by Apple on September 21, 2023, were leveraged as part of an iPhone exploit chain in an attempt to deliver a spyware strain called Predator targeting former Egyptian member of parliament Ahmed Eltantawy between May and September 2023.

Read More

Microsoft Warns of New Phishing Campaign Targeting Corporations via Teams Messages

25 Sep 2023

Microsoft is warning of a new phishing campaign undertaken by an initial access broker that involves using Teams messages as lures to infiltrate corporate networks.

Read More

Critical GitHub Vulnerability Exposes 4,000+ Repositories to Repojacking Attack

18 Sep 2023

A new vulnerability disclosed in GitHub could have exposed thousands of repositories at risk of repojacking attacks, new findings show.

Read More