>
Hackers have been observed disguising the PlugRAT remote access Trojan as a Microsoft debugger to slip past antivirus solutions and compromise targeted endpoints.
Trend Micro cybersecurity experts recently spotted an unknown threat actor using x64dbg to deliver the trojan. x64dbg is an open-source debugging tool, reportedly quite popular in the developer community. It is typically used to examine kernel-mode and user-mode code, crash dumps, or CPU registers.
However, here it is used in an attack known as DLL side-loading.
For the program to work properly, it needs a specific .DLL file. If there are multiple DLL files with the same name, the one that is in the same directory as the executing file will run first, which is what the hackers are exploiting. By providing a modified DLL file along with the program, they ensure that the legitimate software eventually activates the malware.
In this case, the software has a valid digital signature that can “confuse” some security tools, the researchers explained. This allows threat actors to “fly under the radar”, maintain persistence, escalate privileges, and evade file execution restrictions.
“The discovery and analysis of the malware attack using the open-source debugger tool x32dbg.exe [the 32-bit debugger for x64dbg] shows us that DLL sideloading is still used today by threat actors as it is an effective way to evade security measures and gain control over a target system,” said Trend Micro’s report (opens in new tab) is reading.
“Attackers continue to use this technique because it abuses a fundamental trust in legitimate applications,” the report continues. This technique remains viable for attackers to deliver malware (opens in new tab) and access sensitive information as long as systems and applications continue to trust and load dynamic libraries.”
The best way to protect against such threats is to make sure you know what programs you are running and that you trust the person sharing the executable file. Trend Micro believes that side-loading attacks will continue to be a valid attack vector for years to come, as they exploit a “fundamental trust in legitimate applications.”
“This technique remains viable for attackers to deliver malware and access sensitive information as long as systems and applications continue to trust and load dynamic libraries;” they concluded.
Through: The register (opens in new tab)