Malware News PROPagate Code Injection Technique Detected in the Wild for the First Time

silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,148
Content source
https://www.bleepingcomputer.com/news/security/propagate-code-injection-technique-detected-in-the-wild-for-the-first-time/
Security firm FireEye has detected that malware authors have deployed the PROPagate code injection technique for the first time inside a live malware distribution campaign.

PROPagate is a relatively new code injection technique discovered last November. Back then, a security researcher found that an attacker could abuse the SetWindowSubclass API, a function of the Windows operating system that manages GUIs, to load and execute malicious code inside the processes of legitimate apps.

The infosec research community deemed the technique innovative, similar in creativity to the AtomBombing technique, albeit both different in their own right.

But while it took malware authors four months to weaponize AtomBombing and use it in active malware campaigns, PROPagate proved to be a little harder to integrate, as its first appearance came in the double the time.
Click to expand...
In a report published yesterday, FireEye, a leading cyber-security firm, discovered one malware campaign using the PROPagate technique to inject malware into legitimate processes.

According to FireEye, the operators of the RIG exploit kit have launched a recent campaign that hijacks traffic from legitimate sites using a hidden iframe and redirects them to a so-called "landing page."

On this page, the RIG exploit kit uses one of three techniques —via malicious JavaScript, Flash, or Visual Basic script— to download and run a malicious NSIS installer.

PROPagate-Fig1.png
Click to expand...
 
  • Like
Reactions: Der.Reisende, spaceoctopus, Weebarra and 4 others
upnorth

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
More great detail on the specific code injection technique here : Hexacorn | Blog
The security flaw affects systems running Windows 7 and later operating systems, and the exploit works through Internet Explorer (IE) and Microsoft Office documents that use the vulnerable script engine.

Rig shows that the decline in exploit kit activity does not mean they’re dead. In fact, other cybercriminals take this as an opportunity to fine-tune their tools and techniques.
Click to expand...
Rig Exploit Kit Now Using CVE-2018-8174 to Deliver Monero Miner - TrendLabs Security Intelligence Blog

Thanks for share @silversurfer (y)
 
Last edited:
  • Like
Reactions: Der.Reisende, spaceoctopus, Weebarra and 2 others
You must log in or register to reply here.

Similar threads

vtqhtr413
    • Like
    • +Reputation
Mockingjay Process Injection Technique Could Let Malware Evade Detection
Replies
4
Views
1,142
News Archive
Sandbox Breaker
Sandbox Breaker
silversurfer
    • Like
    • +Reputation
Casbaneiro Banking Malware Goes Under the Radar with UAC Bypass Technique
Replies
0
Views
965
News Archive
silversurfer
silversurfer
upnorth
    • Like
    • +Reputation
    • Thanks
Security News New ‘Pool Party’ Process Injection Techniques Undetected by EDR Solutions
Replies
0
Views
1,067
Security News
upnorth
upnorth

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top