PROPagate technique used to inject Monero miner

News by Rene Millman

Security researchers have discovered a RIG Exploit Kit (EK) delivering a dropper that leverages the PROPagate injection technique to inject code that downloads and executes a Monero miner.

Security researchers have discovered a RIG Exploit Kit (EK) delivering a dropper that leverages the PROPagate injection technique to inject code that downloads and executes a Monero miner.

According to a blog post by researchers at FireEye, the attack chain starts when the user visits a compromised website that loads the RIG EK landing page in an iframe.

When the user visits a compromised site that is injected with an iframe, the iframe loads the landing page. This landing page contains three different JavaScripts snippets, each of which uses a different technique to deliver the payload. These snippets via a malicious JavaScript, Flash, or Visual Basic script, download and run a malicious NSIS installer.

This compiled NSIS executable famously known as SmokeLoader. 

“Apart from NSIS files, the payload has two components: a DLL, and a data file (named ‘kumar.dll' and ‘abaram.dat' in our analysis case). The DLL has an export function that is invoked by the NSIS executable. This export function has code to read and decrypt the data file, which yields the second stage payload (a portable executable file),” said researchers.

Researchers said that this uses the PROPagate injection technique to inject shellcode into explorer.exe. 

“The PROPagate method is similar to the SetWindowLong injection technique. In this method, the malware uses the SetPropA function to modify the callback for UxSubclassInfo and cause the remote process to execute the malicious code,” said researchers.

Researchers said this code injection technique only works for a process with lesser or equal integrity level.

“If the process is higher than medium integrity level, then the malware proceeds further. If the process is lower than medium integrity level, the malware respawns itself with medium integrity,” said researchers.

This shellcode executes the next payload, which downloads and executes the Monero miner. 

“It creates a MD5 hash value using Microsoft CryptoAPIs from the computer name and the volume information and sends the hash to the server in a POST request,” said researchers.

Liviu Arsene, senior e-threat analyst at Bitdefender, told SC Media UK that the easiest method for defending against this new type of attack and malware is to constantly update applications to their latest version.

“Since the attack vector involves exploiting known, but unpatched, vulnerabilities in commonly deployed software such as Internet Explorer and Adobe Flash, a straightforward protection method would be to update the affected software to its latest build, as fixes for the exploited vulnerabilities have already been issued. Of course, any and all endpoints within organisations should have a security solution installed, capable of detecting malicious payloads, such as cryptojackers, regardless if it's being deployed through unpatched vulnerabilities,” he said.

Niall Sheffield, lead solutions engineer at SentinelOne, told SC Media UK that investing in solutions that dynamically detect exploits from every vector will enable organisations to better equip themselves to withstand new attacks. “As new attack methods such as this become available, if organisations are having to perform diligence on whether their existing solution can protect them, then they are going to be behind the defence curve,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews