Trend Micro researchers have uncovered a new campaign where the PlugX malware is posing as the open-source x64dbg Windows debugger tool in an attempt to bypass security protections and take control of the target system. PlugX is a post-exploitation modular implant used for data exfiltration and deploying backdoors, among other things.
The malware is known for using the DLL side-loading technique to load a malicious DLL from a digitally signed software application, in this case, the x64dbg debugging tool (x32dbg.exe), which confuses security tools and allows the malware to avoid detection.
Persistence is achieved through Windows Registry modifications and the creation of scheduled tasks to ensure continued access even after system restarts. Palo Alto Networks Unit 42 had earlier revealed a new variant of the malware that hides malicious files on removable USB devices to propagate the infection to other Windows hosts.
Trend Micro researchers warn that despite advances in security technology, DLL side-loading will remain a viable technique for attackers to deliver malware and gain access to sensitive information as long as systems and applications continue to trust and load dynamic libraries. The researchers suggest that organisations should consider restricting and monitoring USB devices to prevent malware propagation and review their code-signing process.
They should also have layered defences in place, such as intrusion prevention systems (IPS), endpoint detection and response (EDR) tools and firewalls, to detect and prevent attacks that utilise DLL side-loading.
PlugX has been documented since 2012, and early samples of the malware date back to February 2008. Over the years, it has been used by Chinese cybercriminal groups and other cybercrime groups for nefarious purposes.
It is concerning that malware authors are using legitimate applications to deliver malware, as this makes it easier for malware to fly under the radar and evade detection.
