CAPEC-698

Install Malicious Extension
Medium
High
Stable
2022-09-29
00h00 +00:00
CAPEC Mitre.org
Alerte pour un CAPEC
Stay informed of any changes for a specific CAPEC.
Notifications manage

Descriptions CAPEC

An adversary directly installs or tricks a user into installing a malicious extension into existing trusted software, with the goal of achieving a variety of negative technical impacts.

Informations CAPEC

Execution Flow

1) Explore

[Identify target(s)] The adversary must first identify target software that allows for extensions/plugins and which they wish to exploit, such as a web browser or desktop application. To increase the attack space, this will often be popular software with a large user-base.

2) Experiment

[Create malicious extension] Having identified a suitable target, the adversary crafts a malicious extension/plugin that can be installed by the underlying target software. This malware may be targeted to execute on specific operating systems or be operating system agnostic.

3) Exploit

[Install malicious extension] The malicious extension/plugin is installed by the underlying target software and executes the adversary-created malware, resulting in a variety of negative technical impacts.

Technique
  • Adversary-Installed: Having already compromised the target system, the adversary simply installs the malicious extension/plugin themself.
  • User-Installed: The adversary tricks the user into installing the malicious extension/plugin, via means such as social engineering, or may upload the malware on a reputable extension/plugin hosting site and wait for unknowing victims to install the malicious component.

Prerequisites

The adversary must craft malware based on the type of software and system(s) they intend to exploit.
If the adversary intends to install the malicious extension themself, they must first compromise the target machine via some other means.

Skills Required

Ability to create malicious extensions that can exploit specific software applications and systems.
Optional: Ability to exploit target system(s) via other means in order to gain entry.

Mitigations

Only install extensions/plugins from official/verifiable sources.
Confirm extensions/plugins are legitimate and not malware masquerading as a legitimate extension/plugin.
Ensure the underlying software leveraging the extension/plugin (including operating systems) is up-to-date.
Implement an extension/plugin allow list, based on the given security policy.
If applicable, confirm extensions/plugins are properly signed by the official developers.
For web browsers, close sessions when finished to prevent malicious extensions/plugins from executing the the background.

Related Weaknesses

CWE-ID Weakness Name

CWE-507

 Trojan Horse
The product appears to contain benign or useful functionality, but it also contains code that is hidden from normal operation that violates the intended security policy of the user or the system administrator.

CWE-829

 Inclusion of Functionality from Untrusted Control Sphere
The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

References

REF-740

OilRig uses RGDoor IIS Backdoor on Targets in the Middle East
Robert Falcone.
https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/

REF-741

STOLEN PENCIL Campaign Targets Academia
ASERT Team.
https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia

Submission

Name Organization Date Date release
CAPEC Content Team The MITRE Corporation 2022-09-29 +00:00