Security News > 2023 > March > PlugX RAT masquerades as legit Windows debugger to slip past security

Cybercriminals are disguising the PlugX remote access trojan as a legitimate open-source Windows debugging tool to evade detection and compromise systems.

In a recent case detailed by Trend Micro, miscreants used a PlugX variant to hijack the popular x64dbg debugging tool to go undetected.

In this case PlugX loads a malicious payload after hijacking x64dbg, a trusted and digitally signed software application.

Sophos analysts in November 2020 touched on PlugX hijacking when researching malware they dubbed "KillSomeOne." and Palo Alto's Unit 42 team spotted it again this January while investigating the notorious Black Basta ransomware code that included a PlugX variant putting malicious files onto removable USB devices.

PlugX is a post-exploitation implant that has been around as far back as 2008 and has been widely used, initially by Asian advanced persistent threat gangs - particularly those linked with China - and later by a broader range of threat groups.

While DLL side-loading is typical to PlugX behavior "This variant was unique in that it employed several components to perform various functions, including persistence, propagation, and backdoor communication," the Trend Micro researchers wrote.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/03/01/plugx_dll_loading_malware/