The PlugX remote access trojan has been seen masquerading as an open-source Windows debugger utility named x64dbg to bypass security measures and gain control of a target network. “This file is a legitimate open-source debugger tool for Windows that is generally used to examine kernel-mode and user-mode code, crash dumps, or CPU registers,” stated Trend Micro researchers. PlugX, aka Korplug, is a post-exploitation modular implant and is known for its many features including data exfiltration and the capacity to use the compromised machine for illegal activities. Although first documented in 2012, early malware samples stretch back to February 2008. Chinese threat actors and other cybercrime organizations have employed PlugX in the past. The malware uses the DLL side-loading technique to load a malicious DLL from a digitally signed software program, in this case, the x64dbg debugging tool (x32dbg.exe). It’s important to note that DLL side-loading attacks use Windows’ DLL search order mechanism to install and then launch a trustworthy application that runs a malicious payload. “Being a legitimate application, x32dbg.exe’s valid digital signature can confuse some security tools, enabling threat actors to fly under the radar, maintain persistence, escalate privileges, and bypass file execution restrictions,” stated researchers.
The hijacking of x64dbg to load PlugX was discovered last month by Palo Alto Networks Unit 42, which discovered a new variant of the malware that hides malicious files on removable USB devices to propagate the infection to other Windows hosts. Persistence is achieved by changing the Windows Registry and setting up scheduled processes to maintain access. Trend Micro’s analysis also revealed the use of x32dbg.exe to deploy a backdoor, a User Datagram Protocol (UDP) shell client controlled by a remote server. “This technique will remain viable for attackers to deliver malware and gain access to sensitive information as long as systems and applications continue to trust and load dynamic libraries,” stated researchers.