PlugRAT Trojan disguises itself as Microsoft debugger to slip past your antivirus

News
By Sead Fadilpašić
published

Attackers are side-loading malware onto target devices

Laptop Virus
(Image credit: Shutterstock)

Hackers have been observed disguising the PlugRAT remote access Trojan as a Microsoft debugger, in order to slip past antivirus solutions and compromise targeted endpoints.

Cybersecurity experts from Trend Micro recently spotted an unidentified threat actor using x64dbg to deliver the trojan. x64dbg is an open-source debugging tool, allegedly quite popular in the developer community. It is usually used to examine kernel-mode and user-mode code, crash dumps, or CPU registers. 

However, here it is being leveraged in an attack known as DLL side-loading.

Confusing antivirus tools

For the program to properly run, it needs a specific .DLL file. If there are multiple DLL files with the same name, it will first run the one that’s found in the same folder as the executive file, and that’s what the hackers exploit. By delivering a modified DLL file together with the program, they ensure that the legitimate software ends up triggering the malware.

In this case, the software carries a valid digital signature which can “confuse” some security tools, the researchers explained. That allows threat actors to “fly under the radar”, maintain persistence, escalate privileges, and bypass file execution restrictions.

"The discovery and analysis of the malware attack using the open-source debugger tool x32dbg.exe [the 32-bit debugger for x64dbg] shows us that DLL side loading is still used by threat actors today because it is an effective way to circumvent security measures and gain control of a target system," Trend Micro’s report reads.

Read more

> Another vital Windows tool is being abused to sideload malware

> Criminals hijack antivirus software to deliver malware

> These are the best endpoint protection services right now

"Attackers continue to use this technique since it exploits a fundamental trust in legitimate applications," the report continues. "This technique will remain viable for attackers to deliver malware and gain access to sensitive information as long as systems and applications continue to trust and load dynamic libraries."

The best way to protect against such threats is to make sure you know which programs you’re running and that you trust the person sharing the executable. Trend Micro believes side-loading attacks will remain a valid attack vector for years to come since they exploit a “fundamental trust in legitimate applications.”

“This technique will remain viable for attackers to deliver malware and gain access to sensitive information as long as systems and applications continue to trust and load dynamic libraries;” they concluded.

Via: The Register

Sead Fadilpašić
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.