Attackers have a new way to sneak malicious code into benign processes. It is called PROPagate, and it is a stealthy code injection technique that is now being used in a growing number of attacks.
Recent campaigns such as Smoke Loader, used to install Monero Miner software, have utilized PROPagate in place of other injection methods. Smoke Loader has been known to use multiple injection methods to hide its stagers in the memory space of Explorer.exe. These techniques include, but are not limited to, SetWindowLong and CreateProcessInternalW. The newest versions implement PROPagate as a method to vary signatures and bypass detection.
So why are criminal campaigns using PROPagate?
The primary reason is stealth. Similar to other code injection methods, PROPagate inserts malicious code into a legitimate running process in order to make detection difficult, since no abnormal processes are being executed. It then invokes that inserted code to run the clandestine attack.
PROPagate enumerates the windows on the system with the same user privileges of the user executing it to find those that implement the SetWindowSubclass API. It then inserts the shellcode it wishes to execute into the memory of the process. Next, it registers a new property through the SetPropA function that, when invoked, will pass execution to the shellcode. This means that the shellcode will lie dormant until a window event occurs. When this event occurs, the benign process will execute the shellcode.
What makes PROPagate unique is that it uses Windows APIs that are available on all Windows systems. PROPagate takes advantage of the way Windows subclasses its window events. The SetProp is used to modify the property value to call the injected malicious code when its event is triggered.
Attributes: PROPagate's primary benefit is its ability to hide the attacker's activity.
The code injected into the running process is harder to detect by incident response. One way this can be used by attackers, as shown in the Smoke Loader example, is to inject a payload into a benign process, such as Explorer.exe, and use that benign process to download and install the intended malware. The download and installation will originate from the Explorer process ID, which could be overlooked by sandboxes and researchers. Another option for attackers is to create a backdoor into the system by opening a connection to a command and control server. Additionally, an attacker could launch the malware through any known persistence mechanisms, injecting the shellcode into benign processes, then have the malware delete the persistence mechanism and the file from the disk. When the malware receives a shutdown event, it simply replaces the persistence mechanism and writes itself back to the disk.
Weaknesses: PROPagate has two important limitations for the attacker.
First, it does not facilitate Remote Code Execution (RCE), so in order to utilize it, the attacker must already be on the system. Second, it is restricted to injecting only into processes with equal or lesser privileges, so PROPagate cannot be used to escalate privileges.
Here is a brief overview of how PROPagate is launched:
In the Wild: A Brief Overview of a Current Propagate Attack Campaign
Smoke Loader (VirusShare has 28 variants)
MD5 => 0cfcc4737bb1b07bc3563144b297f873
MD5 => a080729856d6c06d69780e70a7298004
At the time of this writing, the detection of PROPagate is not built into Cuckoo Sandbox (see Figure 1, above). When the author tested for Cuckoo detection through a proof of concept, it was flagged for creating read-write-executable memory but not for injecting code into the Explorer.exe or triggering an event.
Cuckoo flagged the sample with a very low score and did not alert that a new process was created from Explorer.exe. The proof-of-concept shellcode was not configured to exit cleanly and crashed the Explorer.exe process. Cuckoo does not look for the usage of SetProp or SetPropA.
PROPagate is an effective method for stealthy code injections, particularly through its ability to launch in valid processes. However, its capabilities are limited — the attacker must already be on the system to launch PROPagate because it does not facilitate RCE, and the attacker can only execute under the same user privileges. To detect this attack, it is important to add monitoring of SetProp/SetWindowsSubclass APIs.
Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info.Scott specializes in malware research/reverse engineering and incident response. He's developed malware detection tools for a multinational conglomerate, analyzed APT attacks and tool kits, and consulted for the defense, manufacturing and financial industries. He's spent over ... View Full Bio