Hackers have been observed disguising the PlugRAT remote access Trojan as a Microsoft debugger, in order to slip past antivirus solutions and compromise targeted endpoints.
Cybersecurity experts from Trend Micro recently spotted an unidentified threat actor using x64dbg to deliver the trojan. x64dbg is an open-source debugging tool, allegedly quite popular in the developer community. It is usually used to examine kernel-mode and user-mode code, crash dumps, or CPU registers.
However, here it is being leveraged in an attack known as DLL side-loading.
For the program to properly run, it needs a specific .DLL file. If there are multiple DLL files with the same name, it will first run the one that’s found in the same folder as the executive file, and that’s what the hackers exploit. By delivering a modified DLL file together with the program, they ensure that the legitimate software ends up triggering the malware.
In this case, the software carries a valid digital signature which can “confuse” some security tools, the researchers explained. That allows threat actors to “fly under the radar”, maintain persistence, escalate privileges, and bypass file execution restrictions.
“The discovery and analysis of the malware attack using the open-source debugger tool x32dbg.exe [the 32-bit debugger for x64dbg] shows us that DLL side loading is still used by threat actors today because it is an effective way to circumvent security measures and gain control of a target system,” Trend Micro’s report (opens in new tab) reads.
“Attackers continue to use this technique since it exploits a fundamental trust in legitimate applications,” the report continues. “This technique will remain viable for attackers to deliver malware (opens in new tab) and gain access to sensitive information as long as systems and applications continue to trust and load dynamic libraries.”
The best way to protect against such threats is to make sure you know which programs you’re running and that you trust the person sharing the executable. Trend Micro believes side-loading attacks will remain a valid attack vector for years to come since they exploit a “fundamental trust in legitimate applications.”
“This technique will remain viable for attackers to deliver malware and gain access to sensitive information as long as systems and applications continue to trust and load dynamic libraries;” they concluded.
Via: The Register (opens in new tab)
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba