PROPagate Code Injection Technique Detected in the Wild for the First Time

Posted on Jun 29, 2018

PROPagate Code Injection Technique Detected in the Wild for the First Time

PROPagate is a relatively new code injection technique discovered last November. Back then, a security researcher found that an attacker could abuse the SetWindowSubclass API, a function of the Windows operating system that manages GUIs, to load and execute malicious code inside the processes of legitimate apps. The infosec research community deemed the technique innovative, similar in creativity to the AtomBombing technique, albeit both different in their own right.

But while it took malware authors four months to weaponize AtomBombing and use it in active malware campaigns, PROPagate proved to be a little harder to integrate, as its first appearance came in the double the time. In a report published yesterday, FireEye, a leading cyber-security firm, discovered one malware campaign using the PROPagate technique to inject malware into legitimate processes. On this page, the RIG exploit kit uses one of three techniques —via malicious JavaScript, Flash, or Visual Basic script— to download and run a malicious NSIS installer.

The installer triggers a three-stage mechanism that incorporates the PROPagate technique to infect the user with the final payload —a Monero cryptocurrency miner. According to FireEye, the NSIS installer ‘leverages the PROPagate injection technique to inject shellcode into explorer.exe,’ hiding malicious code into a benign looking process.