RIG Exploit Kit operators leverage PROPagate Injection Technique to deliver Miner

FireEye reported the PROPagate code injection technique that was observed for the first time in a malware distribution campaign in the wild.

Security experts from FireEye have documented the PROPagate code injection technique that was observed for the first time in a malware distribution campaign in the wild.

The PROPagate code injection technique was first discovered in November 2017 by a Hexacorn security researcher that demonstrated it works on all recent Windows versions and could allow attackers to inject malicious code into other applications.

The expert discovered that it is possible to abuse legitimate GUI window properties (UxSubclassInfo and CC32SubclassInfo) utilized internally by SetWindowSubclass function to load and execute malicious code inside other applications.

Back then, a security researcher found that an attacker could abuse the SetWindowSubclass API, a function of the Windows operating system that manages GUIs, to load and execute malicious code inside the processes of legitimate apps.

Malware authors took several months to adopt the PROPagate code injection technique in a live malware campaign.

Recently the experts at FireEye uncovered a campaign leveraging RIG Exploit Kit delivering Monero miner via the PROPagate code injection technique.

The operators of the RIG exploit kit are hijacking traffic from legitimate sites using a hidden iframe and redirects them to a page hosting the exploit kit. The RIG exploit kit uses three JavaScripts snippets, each of which uses a different technique to deliver the malicious payload. Thre three techniques spread the malware:

• via malicious JavaScript;
• via Flash;
• via Visual Basic script;

Below the attack chain described by FireEye:

“The attack chain starts when the user visits a compromised website that loads the RIG EK landing page in an iframe. The RIG EK uses various techniques to deliver the NSIS (Nullsoft Scriptable Install System) loader, which leverages the PROPagate injection technique to inject shellcode into explorer.exe.” reads the analysis published by FireEye.

“This shellcode executes the next payload, which downloads and executes the Monero miner. “

The analysis of the payload allowed the experts to determine that threat actors have used multiple payloads and anti-analysis techniques to bypass the analysis environment.

 

“Although we have been observing a decline in Exploit Kit activity, attackers are not abandoning them altogether.” In this blog post, we explored how RIG EK is being used with various exploits to compromise endpoints. We have also shown how the NSIS Loader leverages the lesser known PROPagate process injection technique, possibly in an attempt to evade security products.” concluded FireEye.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – PROPagate code injection, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]