Threat actors abuse Windows debugger tool to disguise PlugX trojan attacks

Researchers have discovered threat actors abusing legitimate open-source debugger tool for Windows to disguise PlugX trojan attacks.

Trend Micro’s Managed Extended Detection and Response (MxDR) team discovered the file (x32dbg.exe) used a DLL search order hijacking technique to sideload a malicious DLL, a variant of PlugX. The file is a well-known debugger tool for Windows optimized for reverse engineering and malware analysis.

Hackers use PlugX, a well-known remote access trojan (RAT), to gain unauthorized remote access to and control over compromised systems.

“It allows an attacker to obtain unauthorized access to a system, steal sensitive data, and use the compromised machine for malicious purposes,” Trend Micro wrote in a blog post.

In addition to using DLL sideloading, the researchers found the new PlugX variant “was unique in that it employed several components to perform various functions, including persistence, propagation, and backdoor communication.”

Back in January 2021, Trend Micro previously discovered attackers using PlugX in an advanced persistent threat (APT) attack using “sophisticated techniques in an attempt to exfiltrate sensitive information from a company.”

Readers can check out Trend Micro’s report to learn more details on the PlugX tactics and techniques, such as how the malware maintained persistence, used the DLL sideloading technique, and more. 

Related Articles