silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,148
Security firm FireEye has detected that malware authors have deployed the PROPagate code injection technique for the first time inside a live malware distribution campaign.
PROPagate is a relatively new code injection technique discovered last November. Back then, a security researcher found that an attacker could abuse the SetWindowSubclass API, a function of the Windows operating system that manages GUIs, to load and execute malicious code inside the processes of legitimate apps.
The infosec research community deemed the technique innovative, similar in creativity to the AtomBombing technique, albeit both different in their own right.
But while it took malware authors four months to weaponize AtomBombing and use it in active malware campaigns, PROPagate proved to be a little harder to integrate, as its first appearance came in the double the time.
In a report published yesterday, FireEye, a leading cyber-security firm, discovered one malware campaign using the PROPagate technique to inject malware into legitimate processes.
According to FireEye, the operators of the RIG exploit kit have launched a recent campaign that hijacks traffic from legitimate sites using a hidden iframe and redirects them to a so-called "landing page."
On this page, the RIG exploit kit uses one of three techniques —via malicious JavaScript, Flash, or Visual Basic script— to download and run a malicious NSIS installer.