Delaware, USA – July 4, 2018 – The PROPagate code injection technique was described in November 2017, but adversaries managed to weaponize it only in recent attacks. This technique allows to inject malicious code into a number of MS Windows applications, but it was not considered a serious threat since its exploitation is possible only on already compromised systems. However, eight months later, attackers started to use the PROPagate technique to distribute Monero coinminer via RIG exploit kit. In a recent campaign, attackers exploited three vulnerabilities to drop SmokeLoader on attacked systems, which used the PROPagate technique to inject malicious code into explorer.exe and ensure persistence of the Monero coinminer. The researchers from FireEye also noted a number of other differences from previous campaigns.
Exploit kits remain serious threats, as the attackers behind them quickly switch to using new techniques and exploits. In the last months, RIG exploit kit was very actively used by attackers to infect users with trojans and cryptocurrency miners. No zero-days were exploited in recent campaigns, so it is necessary to install security updates to protect against such attacks. You can also leverage SIEM use cases from Threat Detection Marketplace to detect relevant threats. Windows Security Monitor performs statistical analysis and profiling of basic security events to detect deviations and suspicious activity. Sysmon Framework provides actionable dashboards along with SOC channel which highlights events of interest for SOC Analysts.