News & Commentary

8/8/2018
09:30 AM
Scott Nusbaum
Scott Nusbaum
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Breaking Down the PROPagate Code Injection Attack

What makes PROPagate unique is that it uses Windows APIs to take advantage of the way Windows subclasses its window events.

Attackers have a new way to sneak malicious code into benign processes. It is called PROPagate, and it is a stealthy code injection technique that is now being used in a growing number of attacks.

Recent campaigns such as Smoke Loader, used to install Monero Miner software, have utilized PROPagate in place of other injection methods. Smoke Loader has been known to use multiple injection methods to hide its stagers in the memory space of Explorer.exe. These techniques include, but are not limited to, SetWindowLong and CreateProcessInternalW. The newest versions implement PROPagate as a method to vary signatures and bypass detection.

So why are criminal campaigns using PROPagate?

The primary reason is stealth. Similar to other code injection methods, PROPagate inserts malicious code into a legitimate running process in order to make detection difficult, since no abnormal processes are being executed. It then invokes that inserted code to run the clandestine attack.

PROPagate enumerates the windows on the system with the same user privileges of the user executing it to find those that implement the SetWindowSubclass API. It then inserts the shellcode it wishes to execute into the memory of the process. Next, it registers a new property through the SetPropA function that, when invoked, will pass execution to the shellcode. This means that the shellcode will lie dormant until a window event occurs. When this event occurs, the benign process will execute the shellcode.

What makes PROPagate unique is that it uses Windows APIs that are available on all Windows systems. PROPagate takes advantage of the way Windows subclasses its window events. The SetProp is used to modify the property value to call the injected malicious code when its event is triggered.

Attributes: PROPagate's primary benefit is its ability to hide the attacker's activity.
The code injected into the running process is harder to detect by incident response. One way this can be used by attackers, as shown in the Smoke Loader example, is to inject a payload into a benign process, such as Explorer.exe, and use that benign process to download and install the intended malware. The download and installation will originate from the Explorer process ID, which could be overlooked by sandboxes and researchers. Another option for attackers is to create a backdoor into the system by opening a connection to a command and control server. Additionally, an attacker could launch the malware through any known persistence mechanisms, injecting the shellcode into benign processes, then have the malware delete the persistence mechanism and the file from the disk. When the malware receives a shutdown event, it simply replaces the persistence mechanism and writes itself back to the disk.

Weaknesses: PROPagate has two important limitations for the attacker.
First, it does not facilitate Remote Code Execution (RCE), so in order to utilize it, the attacker must already be on the system. Second, it is restricted to injecting only into processes with equal or lesser privileges, so PROPagate cannot be used to escalate privileges.

Here is a brief overview of how PROPagate is launched:

  1. Enumerate the windows of running processes to find one using the SetWindowSubclass API.
  2. Open the enumerated process.
  3. Copy an existing property from the process.
  4. Create two memory regions in the benign process.
  5. Modify the property to point to a memory region just created.
  6. Copy shellcode into the one of the memory regions created in the benign process and copy the modified property into the other memory region.
  7. Use the API command SetProp to load the modified property into the benign process.
  8. Trigger the payload by issuing an event to the benign process, such as Terminate Window.
  9. Reset the property list to its original value.
  10. Clean up and exit the malicious code.

In the Wild: A Brief Overview of a Current Propagate Attack Campaign
Smoke Loader (VirusShare has 28 variants)

MD5 => 0cfcc4737bb1b07bc3563144b297f873

  • Preliminary review did not show signs of the SetProp or SetWindowSubclass
  • Exploded with Cuckoo Sandbox. Flagged as malicious but did not flag on the PROPagate injection method. There are multiple injections happening in this sample.
  • Injection method uses CreateProcessInternalW.

MD5 => a080729856d6c06d69780e70a7298004

  • Preliminary review did not show signs of the SetProp or SetWindowSubclass.
  • Use the SetWindowLong injection method not PROPagate.

Detection

Figure 1: Cuckoo analysis summary for proof of concept.
Figure 1: Cuckoo analysis summary for proof of concept.

At the time of this writing, the detection of PROPagate is not built into Cuckoo Sandbox (see Figure 1, above). When the author tested for Cuckoo detection through a proof of concept, it was flagged for creating read-write-executable memory but not for injecting code into the Explorer.exe or triggering an event.

Figure 2: Cuckoo signature alerts to read-write-execute memory creation.
Figure 2: Cuckoo signature alerts to read-write-execute memory creation.

Cuckoo flagged the sample with a very low score and did not alert that a new process was created from Explorer.exe. The proof-of-concept shellcode was not configured to exit cleanly and crashed the Explorer.exe process. Cuckoo does not look for the usage of SetProp or SetPropA.

PROPagate is an effective method for stealthy code injections, particularly through its ability to launch in valid processes. However, its capabilities are limited — the attacker must already be on the system to launch PROPagate because it does not facilitate RCE, and the attacker can only execute under the same user privileges. To detect this attack, it is important to add monitoring of SetProp/SetWindowsSubclass APIs.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Scott specializes in malware research/reverse engineering and incident response. He's developed malware detection tools for a multinational conglomerate, analyzed APT attacks and tool kits, and consulted for the defense, manufacturing and financial industries. He's spent over ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20102
PUBLISHED: 2018-12-12
An out-of-bounds read in dns_validate_dns_response in dns.c was discovered in HAProxy through 1.8.14. Due to a missing check when validating DNS responses, remote attackers might be able read the 16 bytes corresponding to an AAAA record from the non-initialized part of the buffer, possibly accessing...
CVE-2018-20103
PUBLISHED: 2018-12-12
An issue was discovered in dns.c in HAProxy through 1.8.14. In the case of a compressed pointer, a crafted packet can trigger infinite recursion by making the pointer point to itself, or create a long chain of valid pointers resulting in stack exhaustion.
CVE-2018-1480
PUBLISHED: 2018-12-12
IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 does not set the 'HttpOnly' attribute on authorization tokens or session cookies. If a Cross-Site Scripting vulnerability also existed attackers may be able to get the cookie values via malicious JavaScript and then hijack the user sessi...
CVE-2018-1481
PUBLISHED: 2018-12-12
IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 140763.
CVE-2018-1484
PUBLISHED: 2018-12-12
IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent...