Breaking Down the PROPagate Code Injection Attack
What makes PROPagate unique is that it uses Windows APIs to take advantage of the way Windows subclasses its window events.
Attackers have a new way to sneak malicious code into benign processes. It is called PROPagate, and it is a stealthy code injection technique that is now being used in a growing number of attacks.
Recent campaigns such as Smoke Loader, used to install Monero Miner software, have utilized PROPagate in place of other injection methods. Smoke Loader has been known to use multiple injection methods to hide its stagers in the memory space of Explorer.exe. These techniques include, but are not limited to, SetWindowLong and CreateProcessInternalW. The newest versions implement PROPagate as a method to vary signatures and bypass detection.
So why are criminal campaigns using PROPagate?
The primary reason is stealth. Similar to other code injection methods, PROPagate inserts malicious code into a legitimate running process in order to make detection difficult, since no abnormal processes are being executed. It then invokes that inserted code to run the clandestine attack.
PROPagate enumerates the windows on the system with the same user privileges of the user executing it to find those that implement the SetWindowSubclass API. It then inserts the shellcode it wishes to execute into the memory of the process. Next, it registers a new property through the SetPropA function that, when invoked, will pass execution to the shellcode. This means that the shellcode will lie dormant until a window event occurs. When this event occurs, the benign process will execute the shellcode.
What makes PROPagate unique is that it uses Windows APIs that are available on all Windows systems. PROPagate takes advantage of the way Windows subclasses its window events. The SetProp is used to modify the property value to call the injected malicious code when its event is triggered.
Attributes: PROPagate's primary benefit is its ability to hide the attacker's activity.
The code injected into the running process is harder to detect by incident response. One way this can be used by attackers, as shown in the Smoke Loader example, is to inject a payload into a benign process, such as Explorer.exe, and use that benign process to download and install the intended malware. The download and installation will originate from the Explorer process ID, which could be overlooked by sandboxes and researchers. Another option for attackers is to create a backdoor into the system by opening a connection to a command and control server. Additionally, an attacker could launch the malware through any known persistence mechanisms, injecting the shellcode into benign processes, then have the malware delete the persistence mechanism and the file from the disk. When the malware receives a shutdown event, it simply replaces the persistence mechanism and writes itself back to the disk.
Weaknesses: PROPagate has two important limitations for the attacker.
First, it does not facilitate Remote Code Execution (RCE), so in order to utilize it, the attacker must already be on the system. Second, it is restricted to injecting only into processes with equal or lesser privileges, so PROPagate cannot be used to escalate privileges.
Here is a brief overview of how PROPagate is launched:
Enumerate the windows of running processes to find one using the SetWindowSubclass API.
Open the enumerated process.
Copy an existing property from the process.
Create two memory regions in the benign process.
Modify the property to point to a memory region just created.
Copy shellcode into the one of the memory regions created in the benign process and copy the modified property into the other memory region.
Use the API command SetProp to load the modified property into the benign process.
Trigger the payload by issuing an event to the benign process, such as Terminate Window.
Reset the property list to its original value.
Clean up and exit the malicious code.
In the Wild: A Brief Overview of a Current Propagate Attack Campaign
Smoke Loader (VirusShare has 28 variants)
MD5 => 0cfcc4737bb1b07bc3563144b297f873
Preliminary review did not show signs of the SetProp or SetWindowSubclass
Exploded with Cuckoo Sandbox. Flagged as malicious but did not flag on the PROPagate injection method. There are multiple injections happening in this sample.
Injection method uses CreateProcessInternalW.
MD5 => a080729856d6c06d69780e70a7298004
Preliminary review did not show signs of the SetProp or SetWindowSubclass.
Use the SetWindowLong injection method not PROPagate.
Detection
At the time of this writing, the detection of PROPagate is not built into Cuckoo Sandbox (see Figure 1, above). When the author tested for Cuckoo detection through a proof of concept, it was flagged for creating read-write-executable memory but not for injecting code into the Explorer.exe or triggering an event.
Figure 2: Cuckoo signature alerts to read-write-execute memory creation.
Cuckoo flagged the sample with a very low score and did not alert that a new process was created from Explorer.exe. The proof-of-concept shellcode was not configured to exit cleanly and crashed the Explorer.exe process. Cuckoo does not look for the usage of SetProp or SetPropA.
PROPagate is an effective method for stealthy code injections, particularly through its ability to launch in valid processes. However, its capabilities are limited — the attacker must already be on the system to launch PROPagate because it does not facilitate RCE, and the attacker can only execute under the same user privileges. To detect this attack, it is important to add monitoring of SetProp/SetWindowsSubclass APIs.
Related Content:
Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info.
About the Author
You May Also Like