CAPEC-698

Install Malicious Extension
Moyen
Haute
Stable
2022-09-29
00h00 +00:00
CAPEC Mitre.org
Alerte pour un CAPEC
Restez informé de toutes modifications pour un CAPEC spécifique.
Gestion des notifications

Descriptions du CAPEC

An adversary directly installs or tricks a user into installing a malicious extension into existing trusted software, with the goal of achieving a variety of negative technical impacts.

Informations du CAPEC

Flux d'exécution

1) Explore

[Identify target(s)] The adversary must first identify target software that allows for extensions/plugins and which they wish to exploit, such as a web browser or desktop application. To increase the attack space, this will often be popular software with a large user-base.

2) Experiment

[Create malicious extension] Having identified a suitable target, the adversary crafts a malicious extension/plugin that can be installed by the underlying target software. This malware may be targeted to execute on specific operating systems or be operating system agnostic.

3) Exploit

[Install malicious extension] The malicious extension/plugin is installed by the underlying target software and executes the adversary-created malware, resulting in a variety of negative technical impacts.

Technique
  • Adversary-Installed: Having already compromised the target system, the adversary simply installs the malicious extension/plugin themself.
  • User-Installed: The adversary tricks the user into installing the malicious extension/plugin, via means such as social engineering, or may upload the malware on a reputable extension/plugin hosting site and wait for unknowing victims to install the malicious component.

Conditions préalables

The adversary must craft malware based on the type of software and system(s) they intend to exploit.
If the adversary intends to install the malicious extension themself, they must first compromise the target machine via some other means.

Compétences requises

Ability to create malicious extensions that can exploit specific software applications and systems.
Optional: Ability to exploit target system(s) via other means in order to gain entry.

Atténuations

Only install extensions/plugins from official/verifiable sources.
Confirm extensions/plugins are legitimate and not malware masquerading as a legitimate extension/plugin.
Ensure the underlying software leveraging the extension/plugin (including operating systems) is up-to-date.
Implement an extension/plugin allow list, based on the given security policy.
If applicable, confirm extensions/plugins are properly signed by the official developers.
For web browsers, close sessions when finished to prevent malicious extensions/plugins from executing the the background.

Faiblesses connexes

CWE-ID Nom de la faiblesse

CWE-507

 Trojan Horse
The product appears to contain benign or useful functionality, but it also contains code that is hidden from normal operation that violates the intended security policy of the user or the system administrator.

CWE-829

 Inclusion of Functionality from Untrusted Control Sphere
The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

Références

REF-740

OilRig uses RGDoor IIS Backdoor on Targets in the Middle East
Robert Falcone.
https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/

REF-741

STOLEN PENCIL Campaign Targets Academia
ASERT Team.
https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia

Soumission

Nom Organisation Date Date de publication
CAPEC Content Team The MITRE Corporation 2022-09-29 +00:00