Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool
Malware
Trend Micro’s Managed Extended Detection and Response (MxDR) team discovered that a file called x32dbg.exe was used to sideload a malicious DLL we identified as a variant of PlugX.
Trend Micro’s Managed Extended Detection and Response (MxDR) team discovered that a file called x32dbg.exe was used (via the DLL Search Order Hijacking or T1574.001 technique) to sideload a malicious DLL we identified as a variant of PlugX (Trojan.Win32.KORPLUG.AJ.enc). This file is a legitimate open-source debugger tool for Windows that is generally used to examine kernel-mode and user-mode code, crash dumps, or CPU registers. Meanwhile, PlugX is a well-known remote access trojan (RAT) that is used to gain remote access to and control over compromised machines. It allows an attacker to obtain unauthorized access to a system, steal sensitive data, and use the compromised machine for malicious purposes. The MxDR team employed a number of advanced security technologies and solutions to gain a comprehensive understanding of the attack, which will be revealed in this report.
Being a legitimate application, x32dbg.exe’s valid digital signature can confuse some security tools, enabling threat actors to fly under the radar, maintain persistence, escalate privileges, and bypass file execution restrictions.
Read more