Cybersecurity experts have identified a new wave of attacks aimed at distributing the PlugX remote access trojan. In this campaign, the trojan is disguised as an open-source Windows debugger tool called x32dbg, which is a legitimate software application that enables users to examine kernel-mode and user-mode code, crash dumps, or CPU registers.
The malicious x32dbg.exe file that was analyzed by Trend Micro researchers has a valid digital signature, making it appear safe to some security tools. The use of this digital signature allows threat actors to bypass file execution restrictions, maintain persistence, escalate privileges, and avoid detection.
How the RAT operates
The PlugX RAT uses DLL side-loading to load its own malicious DLL payload when a digitally signed software application, such as x32dbg.exe, is executed. The malware achieves persistence by modifying registry entries and creating scheduled tasks to maintain access even when the system is restarted.
In this campaign, attackers used the x32dbg.exe to drop a backdoor, which is a UDP shell client that collects system and host information. The backdoor also creates a thread that continuously waits for C2 (command and control) commands and decrypts C&C communication using a hardcoded key.
Why this technique is still effective
Despite advancements in security technology, attackers continue to use this technique to exploit fundamental trust in legitimate applications. As long as systems and applications continue to trust and load dynamic libraries, this technique will remain viable for attackers to deliver malware and gain access to sensitive information.
Conclusion
It’s crucial to remain vigilant and take necessary precautions to protect against this and other types of attacks.
It’s recommended to keep software applications and security tools up to date, use strong passwords, and avoid downloading or installing software from untrusted sources.
Additionally, it’s vital to stay informed about the latest security threats and trends to proactively mitigate risks.
With the increasing sophistication of cyber threats, it’s essential to adopt a proactive approach to cybersecurity. Organizations should invest in the right security tools and technologies, as well as training their staff to identify and respond to cyber threats effectively. By taking a comprehensive approach to security, organizations can reduce their risk exposure and safeguard their critical data and assets.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.
