Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

8/8/2018
09:30 AM
Scott Nusbaum
Scott Nusbaum
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Breaking Down the PROPagate Code Injection Attack

What makes PROPagate unique is that it uses Windows APIs to take advantage of the way Windows subclasses its window events.

Attackers have a new way to sneak malicious code into benign processes. It is called PROPagate, and it is a stealthy code injection technique that is now being used in a growing number of attacks.

Recent campaigns such as Smoke Loader, used to install Monero Miner software, have utilized PROPagate in place of other injection methods. Smoke Loader has been known to use multiple injection methods to hide its stagers in the memory space of Explorer.exe. These techniques include, but are not limited to, SetWindowLong and CreateProcessInternalW. The newest versions implement PROPagate as a method to vary signatures and bypass detection.

So why are criminal campaigns using PROPagate?

The primary reason is stealth. Similar to other code injection methods, PROPagate inserts malicious code into a legitimate running process in order to make detection difficult, since no abnormal processes are being executed. It then invokes that inserted code to run the clandestine attack.

PROPagate enumerates the windows on the system with the same user privileges of the user executing it to find those that implement the SetWindowSubclass API. It then inserts the shellcode it wishes to execute into the memory of the process. Next, it registers a new property through the SetPropA function that, when invoked, will pass execution to the shellcode. This means that the shellcode will lie dormant until a window event occurs. When this event occurs, the benign process will execute the shellcode.

What makes PROPagate unique is that it uses Windows APIs that are available on all Windows systems. PROPagate takes advantage of the way Windows subclasses its window events. The SetProp is used to modify the property value to call the injected malicious code when its event is triggered.

Attributes: PROPagate's primary benefit is its ability to hide the attacker's activity.
The code injected into the running process is harder to detect by incident response. One way this can be used by attackers, as shown in the Smoke Loader example, is to inject a payload into a benign process, such as Explorer.exe, and use that benign process to download and install the intended malware. The download and installation will originate from the Explorer process ID, which could be overlooked by sandboxes and researchers. Another option for attackers is to create a backdoor into the system by opening a connection to a command and control server. Additionally, an attacker could launch the malware through any known persistence mechanisms, injecting the shellcode into benign processes, then have the malware delete the persistence mechanism and the file from the disk. When the malware receives a shutdown event, it simply replaces the persistence mechanism and writes itself back to the disk.

Weaknesses: PROPagate has two important limitations for the attacker.
First, it does not facilitate Remote Code Execution (RCE), so in order to utilize it, the attacker must already be on the system. Second, it is restricted to injecting only into processes with equal or lesser privileges, so PROPagate cannot be used to escalate privileges.

Here is a brief overview of how PROPagate is launched:

  1. Enumerate the windows of running processes to find one using the SetWindowSubclass API.
  2. Open the enumerated process.
  3. Copy an existing property from the process.
  4. Create two memory regions in the benign process.
  5. Modify the property to point to a memory region just created.
  6. Copy shellcode into the one of the memory regions created in the benign process and copy the modified property into the other memory region.
  7. Use the API command SetProp to load the modified property into the benign process.
  8. Trigger the payload by issuing an event to the benign process, such as Terminate Window.
  9. Reset the property list to its original value.
  10. Clean up and exit the malicious code.

In the Wild: A Brief Overview of a Current Propagate Attack Campaign
Smoke Loader (VirusShare has 28 variants)

MD5 => 0cfcc4737bb1b07bc3563144b297f873

  • Preliminary review did not show signs of the SetProp or SetWindowSubclass
  • Exploded with Cuckoo Sandbox. Flagged as malicious but did not flag on the PROPagate injection method. There are multiple injections happening in this sample.
  • Injection method uses CreateProcessInternalW.

MD5 => a080729856d6c06d69780e70a7298004

  • Preliminary review did not show signs of the SetProp or SetWindowSubclass.
  • Use the SetWindowLong injection method not PROPagate.

Detection

At the time of this writing, the detection of PROPagate is not built into Cuckoo Sandbox (see Figure 1, above). When the author tested for Cuckoo detection through a proof of concept, it was flagged for creating read-write-executable memory but not for injecting code into the Explorer.exe or triggering an event.

Cuckoo flagged the sample with a very low score and did not alert that a new process was created from Explorer.exe. The proof-of-concept shellcode was not configured to exit cleanly and crashed the Explorer.exe process. Cuckoo does not look for the usage of SetProp or SetPropA.

PROPagate is an effective method for stealthy code injections, particularly through its ability to launch in valid processes. However, its capabilities are limited — the attacker must already be on the system to launch PROPagate because it does not facilitate RCE, and the attacker can only execute under the same user privileges. To detect this attack, it is important to add monitoring of SetProp/SetWindowsSubclass APIs.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Scott specializes in malware research/reverse engineering and incident response. He's developed malware detection tools for a multinational conglomerate, analyzed APT attacks and tool kits, and consulted for the defense, manufacturing and financial industries. He's spent over ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...