PROPagate Code Injection

A code injection technique first discovered by a Hexacorn security researcher has been actively distributed in a malware campaign. The technique, dubbed PROPagate, was recently identified by FireEye as being used to inject malware into legitimate processes in a RIG exploit kit campaign. In this campaign, RIG hijacks traffic from a legitimate site, utilizing hidden iframes and redirecting users to a landing page. When the victim visits this page, the exploit kit uses several methods to deliver a NSIS (Nullsoft Scriptable Install System) installer including a Flash exploit, Visual Basic Script, or malicious JavaScript. Once the NSIS installer is downloaded, PROPagate is used to infect the victim with a Monero cryptocurrency miner. The NJCCIC recommends reviewing the FireEye report on PROPagate for more information and ensure that anti-virus/anti-malware programs and all hardware and software, particularly web browsers, are kept up-to-date.