Recently, the PlugX remote access Trojan has been identified disguising itself as the legitimate open-source Windows debugging tool x64dbg. This tactic aims to bypass cybersecurity defenses and enable unauthorized control over target systems.
According to a report by Trend Micro researchers Buddy Tancio, Jed Valderama, and Catherine Loveria, x64dbg is typically utilized for observing both kernel-mode and user-mode code, crash dumps, and CPU registers, making its imitation particularly concerning.
PlugX, also referred to as Korplug, is recognized as a modular implant designed for post-exploitation activities. It excels in data exfiltration and can manipulate compromised machines for malicious objectives. This malware has not only been in circulation for over a decade but has also been linked to threat actors with connections to China as well as various cybercriminal organizations.
The cybercriminals behind PlugX predominantly employ DLL side-loading techniques, a method that permits them to load malicious dynamic link libraries from otherwise legitimate software applications. Specifically, in this case, they are utilizing the x64dbg tool, which is known as x32dbg.exe.
DLL side-loading exploits Windows’ DLL search order mechanisms to execute a legitimate program that inadvertently runs a harmful payload. As the researchers pointed out, because x32dbg.exe carries a valid digital signature, it can mislead security systems, allowing attackers to gain persistent access, elevate privileges, and skirt file execution restrictions.
Last month, the hijacking of x64dbg for loading PlugX was reported by Palo Alto Networks Unit 42. This variant not only lends itself to remote access but also hides malicious payloads in USB drives to facilitate the spread of infection to additional Windows systems.
To maintain persistent access, PlugX employs manipulation of the Windows Registry and creates scheduled tasks that ensure continued control even after system reboots. The analysis has also uncovered that the use of x32dbg.exe enables the deployment of a backdoor, a UDP shell client designed to gather system data and await instructions from remote servers.
Despite the enhancements in cybersecurity technologies, attackers continue to exploit DLL side-loading since it undermines the inherent trust in legitimate applications. As long as systems maintain this trust, these tactics will likely remain effective methods for attackers to compromise sensitive information and deploy malware.
