"PlugX Trojan Disguised as a Legitimate Windows Open-Source Tool in Recent Attacks"
Researchers at Trend Micro discovered a new wave of attacks crafted to distribute the PlugX Remote Access Trojan (RAT) disguised as the open-source Windows debugger x32dbg. The legitimate tool enables the examination of kernel-mode and user-mode code, crash dumps, and CPU registers. The executable file x32dbg.exe that the researchers studied has a valid digital signature. Therefore, it is regarded as secure by some security programs. It enables threat actors to evade detection, maintain persistence, elevate privileges, and circumvent file execution constraints. When a digitally signed software application such as the x32dbg debugging tool is used, the RAT leverages DLL side-loading to load its own malicious payload. By altering registry entries and setting scheduled activities, attackers were able to maintain access even after a system restart. This article continues to discuss researchers' findings regarding a new wave of attacks distributing the PlugX RAT masked as a legitimate Windows debugger tool.