PlugX RAT masquerades as legit Windows debugger to slip past security
DLL side-loading does the trick, again
Cybercriminals are disguising the PlugX remote access trojan as a legitimate open-source Windows debugging tool to evade detection and compromise systems.
In a recent case detailed by Trend Micro, miscreants used a PlugX variant to hijack the popular x64dbg debugging tool to go undetected. The malware exploits a technique called DLL side-loading that's been in use for over a decade. In this case PlugX loads a malicious payload after hijacking x64dbg, a trusted and digitally signed software application.
"The discovery and analysis of the malware attack using the open-source debugger tool x32dbg.exe [the 32-bit debugger for x64dbg] shows us that DLL side loading is still used by threat actors today because it is an effective way to circumvent security measures and gain control of a target system," the researchers wrote in a report this month.
Even with more advanced security tools "attackers continue to use this technique since it exploits a fundamental trust in legitimate applications," they wrote. "This technique will remain viable for attackers to deliver malware and gain access to sensitive information as long as systems and applications continue to trust and load dynamic libraries."
- Shape-shifting cryptominer savages Linux endpoints and IoT
- Security is a pain for American Dental Association: Ransomware infection feared
- Now Windows Follina zero-day exploited to infect PCs with Qbot
- To predict the targets of Chinese malware, look at the target of Chinese laws
Sophos analysts in November 2020 touched on PlugX hijacking when researching malware they dubbed "KillSomeOne." and Palo Alto's Unit 42 team spotted it again this January while investigating the notorious Black Basta ransomware code that included a PlugX variant putting malicious files onto removable USB devices.
The x64dbg tool is used to examine kernel-mode and user-mode code, crash dumps, and CPU registers, Trend Micro researchers wrote. PlugX is a post-exploitation implant that has been around as far back as 2008 and has been widely used, initially by Asian advanced persistent threat (APT) gangs – particularly those linked with China – and later by a broader range of threat groups.
x32dbg comes with a digital signature that can get past many security tools. By hijacking it, miscreants can establish persistence in the compromised system and escalate privileges.
While DLL side-loading is typical to PlugX behavior "this variant was unique in that it employed several components to perform various functions, including persistence, propagation, and backdoor communication," the Trend Micro researchers wrote. ®