Security firm FireEye has detected that malware authors have deployed the PROPagate code injection technique for the first time inside a live malware distribution campaign.
PROPagate is a relatively new code injection technique discovered last November. Back then, a security researcher found that an attacker could abuse the SetWindowSubclass API, a function of the Windows operating system that manages GUIs, to load and execute malicious code inside the processes of legitimate apps.
The infosec research community deemed the technique innovative, similar in creativity to the AtomBombing technique, albeit both different in their own right.
But while it took malware authors four months to weaponize AtomBombing and use it in active malware campaigns, PROPagate proved to be a little harder to integrate, as its first appearance came in the double the time.
In a report published yesterday, FireEye, a leading cyber-security firm, discovered one malware campaign using the PROPagate technique to inject malware into legitimate processes.
According to FireEye, the operators of the RIG exploit kit have launched a recent campaign that hijacks traffic from legitimate sites using a hidden iframe and redirects them to a so-called "landing page."
The installer triggers a three-stage mechanism that incorporates the PROPagate technique to infect the user with the final payload —a Monero cryptocurrency miner.
According to FireEye, the NSIS installer "leverages the PROPagate injection technique to inject shellcode into explorer.exe," hiding malicious code into a benign looking process.
Bleeping Computer has previously explained in a previous article regarding the effectiveness of exploit kits that an up-to-date browser is usually enough to safeguard users from such threats.