Security firm FireEye has detected that malware authors have deployed the PROPagate code injection technique for the first time inside a live malware distribution campaign.

PROPagate is a relatively new code injection technique discovered last November. Back then, a security researcher found that an attacker could abuse the SetWindowSubclass API, a function of the Windows operating system that manages GUIs, to load and execute malicious code inside the processes of legitimate apps.

The infosec research community deemed the technique innovative, similar in creativity to the AtomBombing technique, albeit both different in their own right.

But while it took malware authors four months to weaponize AtomBombing and use it in active malware campaigns, PROPagate proved to be a little harder to integrate, as its first appearance came in the double the time.

PROPagate found in RIG EK campaign delivering coinminer

In a report published yesterday, FireEye, a leading cyber-security firm, discovered one malware campaign using the PROPagate technique to inject malware into legitimate processes.

According to FireEye, the operators of the RIG exploit kit have launched a recent campaign that hijacks traffic from legitimate sites using a hidden iframe and redirects them to a so-called "landing page."

On this page, the RIG exploit kit uses one of three techniques —via malicious JavaScript, Flash, or Visual Basic script— to download and run a malicious NSIS installer.

RIG EK exploitation

The installer triggers a three-stage mechanism that incorporates the PROPagate technique to infect the user with the final payload —a Monero cryptocurrency miner.

According to FireEye, the NSIS installer "leverages the PROPagate injection technique to inject shellcode into explorer.exe," hiding malicious code into a benign looking process.

PROPagate exploitation

Bleeping Computer has previously explained in a previous article regarding the effectiveness of exploit kits that an up-to-date browser is usually enough to safeguard users from such threats.

Related Articles:

CoinMiners Use New Tricks to Impersonate Adobe Flash Installers

Linux CryptoMiners Are Now Using Rootkits to Stay Hidden

Emotet Trojan Begins Stealing Victim's Email Using New Module

AutoHotkey Malware Is Now a Thing

Exposed Docker APIs Continue to Be Used for Cryptojacking