The PlugX remote access trojan, also known as Korplug, is using an open source Windows debugger tool called x64dbg to bypass security protections and gain control of a target system. x64dbg is a legitimate open-source debugger tool for Windows that is generally used to examine kernel-mode and user-mode code, crash dumps, or CPU registers. The malware uses DLL side-loading, a technique that leverages the DLL search order mechanism in Windows to plant and then invoke a legitimate application that executes a rogue payload. By hijacking x64dbg to load PlugX, the malware’s valid digital signature can confuse some security tools, enabling threat actors to fly under the radar, maintain persistence, escalate privileges, and bypass file execution restrictions. Persistence is achieved via Windows Registry modifications and the creation of scheduled tasks to ensure continued access even after system restarts. The analysis of the attack chain also revealed the use of x32dbg.exe to deploy a backdoor, a UDP shell client that collects system information and awaits additional instructions from a remote server.
Source: The Hacker News
To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net or you can try your self using check.website.