The PlugX remote access trojan has been seen masquerading as an open-source Windows debugger utility named x64dbg to bypass security measures and gain control of a target network. “This file is a legitimate open-source debugger tool for Windows that is generally used to examine kernel-mode and user-mode code, crash dumps, or CPU registers,” stated Trend Micro researchers. PlugX, aka Korplug, is a post-exploitation modular implant and is known for its many features including data exfiltration and the capacity to use the compromised machine for illegal activities. Although first documented in 2012, early malware samples stretch back to February 2008. Chinese threat actors and other cybercrime organizations have employed PlugX in the past. The malware uses the DLL side-loading technique to load a malicious DLL from a digitally signed software program, in this case, the x64dbg debugging tool (x32dbg.exe). It’s important to note that DLL side-loading attacks use Windows’ DLL search order mechanism to install and then launch a trustworthy application that runs a malicious payload. “Being a legitimate application, x32dbg.exe’s valid digital signature can confuse some security tools, enabling threat actors to fly under the radar, maintain persistence, escalate privileges, and bypass file execution restrictions,” stated researchers.
12 Essentials for a Successful SOC Partnership
As cyber threats continue to impact businesses of all sizes, the need for round-the-clock security