This technique abuses the SetWindowsSubclass function -- a process used to install or update subclass windows running on the system -- and can be used to modify the properties of windows running in the same session. This can be used to inject code and drop files while also hiding the fact it has happened, making it a useful, stealthy attack.
It's likely that the attackers have observed publically available posts on PROPagate in order to recreate the technique for their own malicious ends.
- PROPagate Code Injection Seen in the Wild
PROPagate Code Injection Seen in the Wild
9 July 2018