Malware creators have used PROPagate in Rig Exploit Kit for the first time
Target: Non specific.
Attack Vector: Compromised website that loads the RIG EK landing page.
Summary: Researchers at FireEye have observed a code injection technique called PROPagate being used in the wild for the first time in a targeted malware campaign. PROPagate is a code injection technique first discovered in November 2017 which takes advantage of generic properties of legitimate Windows GUI management APIs and functions. The SetWindowSubclass API has been abused so that it loads and executes malicious code is injected into the processes of legitimate apps.
Risk assessment summary: This threat is assessed as 3e MODERATE. This is part of a trend of cryptomining malware being seen regularly used as a source of income for cybercriminals. The affordable price of malware tools like this and its appeal to inexperienced threat actors also drives up the risk. The techniques used in this campaign are likely to be exploited by other actors for more sinister means, such as ransomware, data exfiltration and possibly Denial of Service attacks. Whilst the impact of Crypto Currency miners is moderate, if the exploits used were to be used to deliver a more potent payload, the impact would be raised significantly.