The PlugX remote access trojan has been observed masquerading as an open source Windows debugger tool called x64dbg in an attempt to circumvent security protections and gain control of a target system. "This file is a legitimate open-source debugger tool for Windows that is generally used to examine kernel-mode and user-mode code, crash dumps, or CPU registers," Trend Micro researchers Buddy Tancio, Jed Valderama, and Catherine Loveria said in a report published last week.
PlugX, also known as Korplug, is a post-exploitation modular implant, which, among other things, is known for its multiple functionalities such as data exfiltration and its ability to use the compromised machine for nefarious purposes. Although first documented a decade ago in 2012, early samples of the malware date as far as February 2008, according to a Trend Micro report at the time. Over the years, PlugX has been used by threat actors with a Chinese nexus as well as cybercrime groups.
One of the key methods the malware employs is a technique DLL side-loading to load a malicious DLL from a digitally signed software application, in this case the x64dbg debugging tool (x32dbg.exe). It's worth noting here that DLL side-loading attacks leverage the DLL search order mechanism in Windows to plant and then invoke a legitimate application that executes a rogue payload.
DLL side-loading is a type of attack where an attacker loads a malicious DLL from a digital signed software application. In this case, the attacker is using the x64dbg debugging tool to load the malicious DLL. The DLL search order mechanism is used in Windows to locate and then run the legitimate application that contains the rogue payload.