Malware creators have used PROPagate in Rig Exploit Kit for the first time
Target: Non specific.
Attack Vector: Compromised website that loads the RIG EK landing page.
Summary: Researchers at FireEye have observed a code injection technique called PROPagate being used in the wild for the first time in a targeted malware campaign. PROPagate is a code injection technique first discovered in November 2017 which takes advantage of generic properties of legitimate Windows GUI management APIs and functions. The SetWindowSubclass API has been abused so that it loads and executes malicious code is injected into the processes of legitimate apps.
Risk assessment summary: This threat is assessed as 3e MODERATE. This is part of a trend of cryptomining malware being seen regularly used as a source of income for cybercriminals. The affordable price of malware tools like this and its appeal to inexperienced threat actors also drives up the risk. The techniques used in this campaign are likely to be exploited by other actors for more sinister means, such as ransomware, data exfiltration and possibly Denial of Service attacks. Whilst the impact of Crypto Currency miners is moderate, if the exploits used were to be used to deliver a more potent payload, the impact would be raised significantly.
RIG Exploit Kit (EK)
Analysis conducted by Palo Alto compared activity levels, malware payloads and network traffic characteristics from the RIG Exploit Kit (EK) between January 2017 and January 2018. RIG EK was the most prominent and popular EK across 2016, but has since seen a significant decline in its use. The decline in itself is interesting, but the identification by Palo Alto of recent developments in its use has much more business impact.
RIG EK’s decline has been observed since April 2017. Palo Alto views this as the result of arrests and “vendor efforts to fortify browsers and browser-based applications”. Additionally, malicious actors shifted their focus to other types of exploits, with the example of various Microsoft Office vulnerabilities evident. Similarly, actors also began using the phishing attack vector.
Firstly, the decline in RIG is not related to obfuscation or anti-detection techniques, although efforts had been made by the authors to include such components. Domain shadowing was removed and replaced with IP addresses. Base64-encoded strings were also used where the exploit kit had previously used English text in domains. The move from domain shadowing was forced upon the malware’s authors. In June 2017 a coordinated effort, documented by RSA Research, took down associated domain shadowing infrastructure.
The payload of RIG has also adapted. Analysis by Palo Alto highlighted that 36 out of 39 previous campaigns linked to RIG were used to send different types of ransomware, such as Locky, CryptoMix, CryptoShield and Spora. This has since changed to incorporate the ‘malware of the moment’, crypto miners. Specifically, Ramnit, Remcos RAT, coin miners and GandCrab ransomware were identified.
The threat from RIG EK has somewhat diminished but remains significant. As previously reported, crypto miners in themselves are on the lower end of the malware spectrum when comparing impact to business. The initial infection method however, still requires remediation to prevent subsequent infections. In the profile by Palo Alto, evidence of the exploit kit switching from crypto miner to an infostealer was presented. Although the frequency of attacks has changed and is likely to remain low, the payload’s change is likely only temporary in nature.