There is a new RIG exploit kit that is using PROPagate injection technique to deliver Monero miner

The Exploit Kits aren’t popular anymore but make no mistake, the hackers are not abandoning them!
This new RIG Exploit Kit (EK) is a dropper that uses PROPagate injection technique to inject code that downloads and executes a Monero miner.
The cyber attack begins when a victim visits an infected website that loads the RIG EK landing page in an iframe. The RIG EK employs various techniques to deliver the NSIS (Nullsoft Scriptable Install System) loader, which then uses the PROPagate injection technique to inject shellcode into explorer.exe. This shellcode is used to deliver the next payload, which is the downloader of the Monero miner.

The iframe landing page contains three different JavaScripts snippets, each snippet employs a different technique to deliver the payload.
The first snippet is a JavaScript function, fa, which returns a VBScript that will be executed using the execScript function. The VBScript exploits CVE-2016-0189 vulnerability to download the payload and execute it.
The second snippet is also a JavaScript function that fetches additional JavaScript code and appends this script code to the HTML page. This new code exploits CVE-2015-2419 which utilizes a vulnerability in JSON.stringify that will cause native code execution.
The third JavaScript snippet has code similar to the second JavaScript snippet. Its code adds a flash object that exploits CVE-2018-4878 to invoke a command line to create another JavaScript file with name u32.tmp. After its creation, the file is launched using WScript, which downloads the next-stage payload and executes it.

Companies and individual people must take certain precautions against this growing phenomenon of cyber attacks; for that they should implement at least a cybersecurity solution, like an antivirus, to protect their systems. Necessary things like regularly updating operating systems, using antivirus for Windows or antivirus for Mac depending on which OS your device is using. Companies must also hire professional cybersecurity firms to do regular checkups to their internal network a couple of times per year. These checkups must always include a penetration test and various ethical hacking test.

Malware Analysis

Analysis of NSIS Loader (SmokeLoader)
The first payload delivered by the RIG EK is a compiled NSIS executable widely known as SmokeLoader. SmokeLoader comes with two components: a DLL (kumar.dll), and a data file. The DLL file contains an export function that is invoked by the NSIS executable. This export function is used to decrypt the data file, which is the second stage payload.

Analysis of the second stage payload
The second stage payload is a highly obfuscated executable which decrypts a chunk of code, executes it, and re-encrypts it.
The malware also has an Anti-VM technique implemented which opens the registry key HKLM\SYSTEM\ControlSet001\Services\Disk\Enum with value 0, and then it checks if the registry value data contains any of the strings: VMware, virtual, qemu, or Xen. If it finds any of those strings the malware doesn’t start executing the core code to perform the malicious activity.
This core code uses the PROPagate injection method (similar to the SetWindowLong injection technique) to inject and execute the code in a targeted process.
If the process is higher than medium integrity level, then the malware proceeds further. If the process is lower than medium integrity level, the malware respawns itself with medium integrity.
The malware then decrypts the third stage payload using XOR and decompresses it with RTLDecompressBuffer.
The third stage payload is also a PE executable that is used to decrypt data.
After decrypting the payload, the malware targets the shell process, explorer.exe, for malicious code injection. It uses GetShellWindow and GetWindowThreadProcessId APIs to get the shell window’s thread ID. The malware injects and maps the decrypted PE in explorer.exe. After injecting the payload into the target process, it uses EnumChild and EnumProps functions to enumerate all entries in the property list of the shell window and compares it with UxSubclassInfo; then it saves the handle info and uses it to set the callback function through SetPropA. SetPropA has three arguments, the third of which is data. The malware then sends a specific message to the window to execute the callback procedure corresponding to the UxSubclassInfo property, which leads to the execution of the shellcode.
The shellcode executes the address of the entry point of the injected third stage payload using CreateThread.

Analysis of the third stage payload
First, the malware performs anti-analysis checks and internet connectivity checks by accessing the URL: www.msftncsi[.]com/ncsi.txt.
In order to be persistent in the system, the malware installs a scheduled task and a shortcut file in %startup% folder. The scheduled task is named “Opera Scheduled Autoupdate {Decimal Value of GetTickCount()}”.
After this, the malware downloads the final payload form the malicious URL, which is a Monero miner.

Keep in mind that every device has a significant value that must be protected by at least cybersecurity solution like an antivirus. Depending on which OS your device is running, install an antivirus for Windows or antivirus for Mac for total protection. Companies must take an extra step and hire a professional cybersecurity firm that will run various cybersecurity tests on your company’s network to implement only the best possible cybersecurity solution. Always opt for a package that includes at least a penetration test and ethical hacking test. For companies that exist 100% online, we recommend the using of cyber-secured web hosting services.