PlugX trojan operators have been impersonating the open-source Windows Debugger kit dubbed x64dbg to bypass security detections and take over a targeted system.
Korplug is another term for PlugX, a post-exploitation implant notorious for its multiple capabilities like data exfiltration and compromising devices for malicious acts.
This remote access trojan emerged more than a decade ago, and early samples of this malware date as early as 2008. Through the years, PlugX became widely used for different threat groups worldwide.
PlugX trojan adopts a strategy that uses side-loading to load their malicious tool.
According to investigations, the PlugX trojan operators employ DLL side-loading to load their compromised DLL from a digitally signed software app. Currently, the software application that became the target of the threat actors is the Windows debugging tool.
Researchers explained that the DLL side-loading attacks exploit Windows’s DLL search order mechanism to drop and run a legitimate app that initiates a malicious payload.
Furthermore, the researchers emphasised that the x32dbg[.] is a legitimate application with a valid digital signature that confuses some security defences. Hence, its operators could bypass detections, establish persistence, escalate privileges, and avoid file execution restrictions.
This cybercriminal campaign that hijacks x64dbg to load Plug was revealed by other researchers last month. These researchers also discovered a new PlugX trojan that obfuscates compromised files on removable USB devices to spread the infection to other Windows users.
Persistence is achieved through Windows Registry modifications and the creation of scheduled tasks to ensure uninterrupted access even after the system restarts.
Another researcher also noticed that the attackers used a legitimate debugging tool to launch a backdoor, a UDP shell client that harvests system information and waits for additional instructions from a remote server.
Cybersecurity experts explained that the attackers continue to use the same side-loading tactic despite the improvement of security technology in the past years. This constant usage of the same tool is because it exploits a fundamental trust of security solutions on legitimate apps.
