Security experts from FireEye have documented the PROPagate code injection technique that was observed for the first time in a malware distribution campaign in the wild.
The PROPagate code injection technique was first discovered in November 2017 by a Hexacorn security researcher that demonstrated it works on all recent Windows versions and could allow attackers to inject malicious code into other applications.
The expert discovered that it is possible to abuse legitimate GUI window properties (UxSubclassInfo and CC32SubclassInfo) utilized internally by SetWindowSubclass function to load and execute malicious code inside other applications.
Back then, a security researcher found that an attacker could abuse the SetWindowSubclass API, a function of the Windows operating system that manages GUIs, to load and execute malicious code inside the processes of legitimate apps.
Malware authors took several months to adopt the PROPagate code injection technique in a live malware campaign.
Recently the experts at FireEye uncovered a campaign leveraging RIG Exploit Kit delivering Monero miner via the PROPagate code injection technique.
Below the attack chain described by FireEye:
“The attack chain starts when the user visits a compromised website that loads the RIG EK landing page in an iframe. The RIG EK uses various techniques to deliver the NSIS (Nullsoft Scriptable Install System) loader, which leverages the PROPagate injection technique to inject shellcode into explorer.exe.” reads the analysis published by FireEye.
“This shellcode executes the next payload, which downloads and executes the Monero miner. “
The analysis of the payload allowed the experts to determine that threat actors have used multiple payloads and anti-analysis techniques to bypass the analysis environment.
“Although we have been observing a decline in Exploit Kit activity, attackers are not abandoning them altogether.” In this blog post, we explored how RIG EK is being used with various exploits to compromise endpoints. We have also shown how the NSIS Loader leverages the lesser known PROPagate process injection technique, possibly in an attempt to evade security products.” concluded FireEye.
(Security Affairs – PROPagate code injection, malware)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.