| Name |
Install Malicious Extension |
|
| Likelyhood of attack |
Typical severity |
| Medium |
High |
|
| Summary |
An adversary directly installs or tricks a user into installing a malicious extension into existing trusted software, with the goal of achieving a variety of negative technical impacts. |
| Prerequisites |
The adversary must craft malware based on the type of software and system(s) they intend to exploit. If the adversary intends to install the malicious extension themself, they must first compromise the target machine via some other means. |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Explore |
[Identify target(s)] The adversary must first identify target software that allows for extensions/plugins and which they wish to exploit, such as a web browser or desktop application. To increase the attack space, this will often be popular software with a large user-base. |
|
| 2 |
Experiment |
[Create malicious extension] Having identified a suitable target, the adversary crafts a malicious extension/plugin that can be installed by the underlying target software. This malware may be targeted to execute on specific operating systems or be operating system agnostic. |
|
| 3 |
Exploit |
[Install malicious extension] The malicious extension/plugin is installed by the underlying target software and executes the adversary-created malware, resulting in a variety of negative technical impacts. |
- Adversary-Installed: Having already compromised the target system, the adversary simply installs the malicious extension/plugin themself.
- User-Installed: The adversary tricks the user into installing the malicious extension/plugin, via means such as social engineering, or may upload the malware on a reputable extension/plugin hosting site and wait for unknowing victims to install the malicious component.
|
|
| Solutions | Only install extensions/plugins from official/verifiable sources. Confirm extensions/plugins are legitimate and not malware masquerading as a legitimate extension/plugin. Ensure the underlying software leveraging the extension/plugin (including operating systems) is up-to-date. Implement an extension/plugin allow list, based on the given security policy. If applicable, confirm extensions/plugins are properly signed by the official developers. For web browsers, close sessions when finished to prevent malicious extensions/plugins from executing the the background. |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-507 |
Trojan Horse |
| CWE-829 |
Inclusion of Functionality from Untrusted Control Sphere |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-542 |
An adversary develops targeted malware that takes advantage of a known vulnerability in an organizational information technology environment. The malware crafted for these attacks is based specifically on information gathered about the technology environment. Successfully executing the malware enables an adversary to achieve a wide variety of negative technical impacts. |
|
| Taxonomy: ATTACK |
|
Entry ID
|
Entry Name
|
| 1176 |
Browser Extensions |
| 1505.004 |
Server Software Component: IIS Components |
|