Threat Intel Flash: Sisense Data Compromise: ARC Labs Intelligence Flash

Get the Latest


PROPagate Code Injection Seen for the First Time

Researchers have seen that attackers are deploying PROPagate code injection for the first time in live malware campaigns. First seen in November 2017, researchers had seen that attackers could abuse the SetWindowSubclass API. This a is a function in Windows OS that allows GUIs to load and can be used to execute malicious code inside the process of genuine apps. Researchers claim that the technique is similar to AtomBombing in creativity, however PROPagate is more difficult to integrate. So far, it has been seen that only one malware campaign has utilized the technique to inject malware into legitimate processes. According to researchers, “the operators of the RIG exploit kit have launched a recent campaign that hijacks traffic from legitimate sites using a hidden iframe and redirects them to a so-called landing page.” On the page, the exploit kit utilizes a malicious JavaScript, Flash, or Visual Basic script in order to download and run a malicious NSIS installer. The NSIS installer will trigger a three-stage mechanism that incorporates the PROPagate technique to infect the victim with the final payload, which is a Monero cryptocurrency miner.