Hackers have been observed disguising the PlugRAT remote access Trojan as a Microsoft debugger, in order to slip past antivirus solutions and compromise targeted endpoints.
Cybersecurity experts from Trend Micro recently spotted an unidentified threat actor using x64dbg to deliver the trojan. x64dbg is an open-source debugging tool, allegedly quite popular in the developer community. It is usually used to examine kernel-mode and user-mode code, crash dumps, or CPU registers.
However, here it is being leveraged in an attack known as DLL side-loading.
For the program to properly run, it needs a specific .DLL file. If there are multiple DLL files with the same name, it will first run the one that’s found in the same folder as the executive file, and that’s what the hackers exploit. By delivering a modified DLL file together with the program, they ensure that the legitimate software ends up triggering the malware.
In this case, the software carries a valid digital signature which can “confuse” some security tools, the researchers explained. That allows threat actors to “fly under the radar”, maintain persistence, escalate privileges, and bypass file execution restrictions.
“The discovery and analysis of the malware attack using the open-source debugger tool x32dbg.exe [the 32-bit debugger for x64dbg] shows us that DLL side loading is still used by threat actors today because it is an effective way to circumvent security measures and gain control of a target system,” Trend Micro’s report (opens in new tab) reads.
“Attackers continue to use this technique since it exploits a fundamental trust in legitimate applications,” the report continues. “This technique will remain viable for attackers to deliver malware (opens in new tab) and gain access to sensitive information as long as systems and applications continue to trust and load dynamic libraries.”
The best way to protect against such threats is to make sure you know which programs you’re running and that you trust the person sharing the executable. Trend Micro believes side-loading attacks will remain a valid attack vector for years to come since they exploit a “fundamental trust in legitimate applications.”
“This technique will remain viable for attackers to deliver malware and gain access to sensitive information as long as systems and applications continue to trust and load dynamic libraries;” they concluded.
Via: The Register (opens in new tab)