The notorious PlugX remote access trojan has been identified adopting a disguise as an open-source Windows debugger tool named x64dbg. This tactic aims to evade security measures and gain unauthorized control over targeted systems. PlugX, also known as Korplug, is a modular implant recognized for its diverse capabilities, including data exfiltration and enabling malicious activities on compromised machines.
Masquerading as x64dbg Debugger
According to a recent report by Trend Micro researchers, the malicious file disguises itself as a legitimate open-source Windows debugger tool called x64dbg. Typically used to examine code, crash dumps, and CPU registers, x64dbg’s credibility can deceive security tools, allowing threat actors to remain undetected, establish persistence, elevate privileges, and bypass file execution restrictions.
The Evolution and Usage of PlugX
Although PlugX was initially documented in 2012, early malware samples trace back to as early as February 2008. Over the years, the threat has been associated with both Chinese-affiliated threat actors and cybercrime groups.
PlugX has gained notoriety for its post-exploitation capabilities, enabling malicious actors to conduct various activities, including data exfiltration and leveraging compromised systems for nefarious purposes.
DLL Side-Loading Technique Exploited
PlugX leverages a technique called DLL side-loading to execute its malicious activities. In this case, it utilizes the DLL search order mechanism in Windows to load a malicious DLL from a digitally signed software application—specifically, the x64dbg debugging tool (
x32dbg.exe). By exploiting legitimate applications and their valid digital signatures, the trojan evades detection by certain security tools, ensuring persistence and bypassing execution restrictions.
Propagation through USB Devices
Palo Alto Networks Unit 42 recently discovered a new variant of PlugX that employs a propagation technique involving removable USB devices. The malware hides its malicious files on USB drives, facilitating the spread of the infection to other Windows hosts. This method enables the trojan to expand its reach and compromise additional systems.