430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

RIG Exploit Kit operators leverage PROPagate Injection Technique to deliver Miner

FireEye reported the PROPagate code injection technique that was observed for the first time in a malware distribution campaign in the wild. Security experts from FireEye have documented the PROPagate code injection technique that was observed for the first time in a malware distribution campaign in the wild. The PROPagate code injection technique was first discovered […]

PROPagate injection technique

FireEye reported the PROPagate code injection technique that was observed for the first time in a malware distribution campaign in the wild.

Security experts from FireEye have documented the PROPagate code injection technique that was observed for the first time in a malware distribution campaign in the wild.

The PROPagate code injection technique was first discovered in November 2017 by a Hexacorn security researcher that demonstrated it works on all recent Windows versions and could allow attackers to inject malicious code into other applications.

The expert discovered that it is possible to abuse legitimate GUI window properties (UxSubclassInfo and CC32SubclassInfo) utilized internally by SetWindowSubclass function to load and execute malicious code inside other applications.

Back then, a security researcher found that an attacker could abuse the SetWindowSubclass API, a function of the Windows operating system that manages GUIs, to load and execute malicious code inside the processes of legitimate apps.

Malware authors took several months to adopt the PROPagate code injection technique in a live malware campaign.

Recently the experts at FireEye uncovered a campaign leveraging RIG Exploit Kit delivering Monero miner via the PROPagate code injection technique.

The operators of the RIG exploit kit are hijacking traffic from legitimate sites using a hidden iframe and redirects them to a page hosting the exploit kit. The RIG exploit kit uses three JavaScripts snippets, each of which uses a different technique to deliver the malicious payload. Thre three techniques spread the malware:

  • via malicious JavaScript;
  • via Flash;
  • via Visual Basic script;

Below the attack chain described by FireEye:

“The attack chain starts when the user visits a compromised website that loads the RIG EK landing page in an iframe. The RIG EK uses various techniques to deliver the NSIS (Nullsoft Scriptable Install System) loader, which leverages the PROPagate injection technique to inject shellcode into explorer.exe.” reads the analysis published by FireEye.

“This shellcode executes the next payload, which downloads and executes the Monero miner. “

PROPagate injection technique

The analysis of the payload allowed the experts to determine that threat actors have used multiple payloads and anti-analysis techniques to bypass the analysis environment.

PROPagate code injection

 

“Although we have been observing a decline in Exploit Kit activity, attackers are not abandoning them altogether.” In this blog post, we explored how RIG EK is being used with various exploits to compromise endpoints. We have also shown how the NSIS Loader leverages the lesser known PROPagate process injection technique, possibly in an attempt to evade security products.” concluded FireEye.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – PROPagate code injection, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]