Researchers
detailed
a
new
wave
of
attacks
distributing
the
PlugX
RAT
disguised
as
a
legitimate
Windows
debugger
tool.
Trend
Micro
uncovered
a
new
wave
of
attacks
aimed
at
distributing
the PlugX remote
access
trojan
masqueraded
as
an
open-source
Windows
debugger
tool
called
x32dbg.
The
legitimate
tool
allows
to
examine
kernel-mode
and
user-mode
code,
crash
dumps,
or
CPU
registers.
The
x32dbg.exe
analyzed
by
the
researchers
has
a
valid
digital
signature
for
this
reason
it
is
considered
safe
by
some
security
tools.
Its
use
allows
threat
actors
to
avoid
detection,
maintain
persistence,
escalate
privileges,
and
bypass
file
execution
restrictions.
The
RAT
uses DLL
side-loading to
load
its
own
malicious
payload malicious
DLL when
a
digitally
signed
software
application,
such
as
the
x32dbg debugging
tool
(x32dbg.exe),
is
executed.
Attackers
achieved
persistence
by
modifying
registry
entries
and
creating
scheduled
tasks
to
maintain
access
even
when
the
system
is
restarted.
Experts
reported
that
the
x32dbg.exe
was
used
to
drop
a
backdoor,
a
UDP
shell
client
that
collects
system
information,
collects
host
information,
and
creates
a
thread
to
continuously
wait
for
C2
commands,
and
decrypts
C&C
communication
using
the
hardcoded
key
“Happiness
is
a
way
station
between
too
much
and
too
little.”
“Despite
advances
in
security
technology,
attackers
continue
to
use
this
technique
since
it
exploits
a
fundamental
trust
in
legitimate
applications.”
concludes
the
report
that
also
provides
Indicators
of
Compromise
(IoCs).
“This
technique
will
remain
viable
for
attackers
to
deliver
malware
and
gain
access
to
sensitive
information
as
long
as
systems
and
applications
continue
to
trust
and
load
dynamic
libraries.”
Follow
me
on
Twitter:
@securityaffairs
and
Facebook
and
Mastodon
(SecurityAffairs –
hacking,
Moshen
Dragon)
Share
On
About Author
