Dark Mode
Capec-698 Detail
Install Malicious Extension
Detailed Software Likelihood: Medium Typical Severity: High
Parents: 542
Threats: T284 T389 T403
An adversary directly installs or tricks a user into installing a malicious extension into existing trusted software, with the goal of achieving a variety of negative technical impacts.
Many software applications allow users to install third-party software extensions/plugins that provide additional features and functionality. Adversaries can take advantage of this behavior to install malware on a system with relative ease. This may require the adversary compromising a system and then installing the malicious extension themself. An alternate approach entails masquerading the malicious extension as a legitimate extension. The adversary then convinces users to install the malicious component, via means such as social engineering, or simply waits for victims to unknowingly install the malware on their systems. Once the malicious extension has been installed, the adversary can achieve a variety of negative technical impacts such as obtaining sensitive information, executing unauthorized commands, observing/modifying network traffic, and more.
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-698 | capec | https://capec.mitre.org/data/definitions/698.html | |
| CWE-507 | cwe | http://cwe.mitre.org/data/definitions/507.html | |
| CWE-829 | cwe | http://cwe.mitre.org/data/definitions/829.html | |
| T1176 | ATTACK | https://attack.mitre.org/wiki/Technique/T1176 | Browser Extensions |
| T1505.004 | ATTACK | https://attack.mitre.org/wiki/Technique/T1505/004 | Server Software Component: IIS Components |
| REF-740 | reference_from_CAPEC | https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ | Robert Falcone, OilRig uses RGDoor IIS Backdoor on Targets in the Middle East, 2018--01---25, Palo Alto Networks |
| REF-741 | reference_from_CAPEC | https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia | ASERT Team, STOLEN PENCIL Campaign Targets Academia, 2018--12---05, NETSCOUT |
Explore
-
Identify target(s): The adversary must first identify target software that allows for extensions/plugins and which they wish to exploit, such as a web browser or desktop application. To increase the attack space, this will often be popular software with a large user-base.
Experiment
-
Create malicious extension: Having identified a suitable target, the adversary crafts a malicious extension/plugin that can be installed by the underlying target software. This malware may be targeted to execute on specific operating systems or be operating system agnostic.
Exploit
-
Install malicious extension: The malicious extension/plugin is installed by the underlying target software and executes the adversary-created malware, resulting in a variety of negative technical impacts.
| Techniques |
|---|
| Adversary-Installed: Having already compromised the target system, the adversary simply installs the malicious extension/plugin themself. |
| User-Installed: The adversary tricks the user into installing the malicious extension/plugin, via means such as social engineering, or may upload the malware on a reputable extension/plugin hosting site and wait for unknowing victims to install the malicious component. |
- The adversary must craft malware based on the type of software and system(s) they intend to exploit.
- If the adversary intends to install the malicious extension themself, they must first compromise the target machine via some other means.
Not present
| Medium |
|---|
| Optional: Ability to exploit target system(s) via other means in order to gain entry. |
| Integrity | Authorization | Access Control | Confidentiality |
|---|---|---|---|
| Modify Data | Execute Unauthorized Commands | Execute Unauthorized Commands | Read Data |
| Alter Execution Logic | Alter Execution Logic | ||
| Gain Privileges | Gain Privileges |
- In January 2018, Palo Alto's Unit 42 reported that a malicious Internet Information Services (IIS) extension they named RGDoor was used to create a backdoor into several Middle Eastern government organizations, as well as a financial institution and an educational institution. This malware was used in conjunction with the TwoFace webshell and allowed the adversaries to upload/download files and execute unauthorized commands. [REF-740]
- In December 2018, it was reported that North Korea-based APT Kimusky (also known as Velvet Chollima) infected numerous legitimate academic organizations within the U.S., many specializing in biomedical engineering, with a malicious Google Chrome extension. Dubbed "Operation STOLEN PENCIL", the attack entailed conducting spear-phishing attacks to trick victims into installing a malicious PDF reader named "Auto Font Manager". Once installed, the malware allowed adversaries to steal cookies and site passwords, as well as forward emails from some compromised accounts. [REF-741]