PlugX RAT, an active and ever-evolving malware, is again making rounds with a new sneaky technique. While the previously identified variant was already capable of propagating to networks via USB drives, this one carries multiple threat components on the USB drive and pretends to be a legitimate debugging tool to evade detection.
What to know about the new PlugX
Researchers from Trend Micro discovered this new variant of PlugX RAT masquerading as the authentic Windows debugger tool, x32dbg.
- The malware carries a set of malicious files in a hidden folder on a USB drive and attempts to spread to other Windows host machines.
- Attackers use the x32dbg to deploy more malicious payloads, including a backdoor UDP Shell that allows the collection of system information and execution of instructions received from the server.
Attack tactics
- Attackers use DLL side-loading to execute malicious code via the DLLs of the x32dbg.
- The legitimate digitally signed drivers allow attackers to bypass security restrictions and escalate privileges.
- The malware tries to create scheduled tasks and modifies Windows Registry to ensure access even after the system restart.
- It further places multiple copies of the malicious files in multiple locations on the targeted machine.
Previous PlugX variant
The previous variant of PlugX, discovered in late January by Palo Alto, was found capable of infecting new hosts via removable media including USB or flash drives.
- Hackers would load the PlugX payload using a poisoned version of x32bridge.dll and the 32-bit version of the Windows debugging tool x64dbg.exe.
- The technique was highly stealthy and could impact air-gapped systems as well.
- Its advanced stealth capabilities keep it hidden in Windows that could only be detected by using specialized forensic tools.
Ending notes
DLL side-loading continues to be a preferred and effective method in many cybercrime operations. Moreover, combining this technique with the legitimate x32dbg debugging tool allows control over the target machine while bypassing security tools. To stay protected from such threats, experts suggest having a comprehensive approach toward security, including the implementation of network security, cloud security, and endpoint protection.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/21e3_shutterstock_178992023.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/afd0_shutterstock_1539408413.jpg)
