CAPEC-186
Malicious Software Update
High
Draft
2014-06-23
00h00 +00:00
00h00 +00:00
2022-09-29
00h00 +00:00
00h00 +00:00
Alerte pour un CAPEC
Stay informed of any changes for a specific CAPEC.
Descriptions CAPEC
An adversary uses deceptive methods to cause a user or an automated process to download and install dangerous code believed to be a valid update that originates from an adversary controlled source.
Informations CAPEC
Execution Flow
1) Explore
[Identify target] The adversary must first identify what they want their target to be. Because malicious software updates can be carried out in a variety of ways, the adversary will first not only identify a target program, but also what users they wish to target. This attack can be targeted (a particular user or group of users) or untargeted (many different users).
2) Experiment
[Craft a deployment mechanism based on the target] The adversary must craft a deployment mechanism to deploy the malicious software update. This mechanism will differ based on if the attack is targeted or untargeted.
Technique
- Targeted attack: hosting what appears to be a software update, then harvesting actual email addresses for an organization, or generating commonly used email addresses, and then sending spam, phishing, or spear-phishing emails to the organization's users requesting that they manually download and install the malicious software update.
- Targeted attack: Instant Messaging virus payload, which harvests the names from a user's contact list and sends instant messages to those users to download and apply the update
- Untargeted attack: Spam the malicious update to as many users as possible through unsolicited email, instant messages, or social media messages.
- Untargeted attack: Send phishing emails to as many users as possible and pretend to be a legitimate source suggesting to download an important software update.
- Untargeted attack: Use trojans/botnets to aid in either of the two untargeted attacks.
3) Exploit
[Deploy malicious software update] Using the deployment mechanism from the previous step, the adversary gets a user to install the malicious software update.
Skills Required
This attack requires advanced cyber capabilitiesResources Required
Manual or user-assisted attacks require deceptive mechanisms to trick the user into clicking a link or downloading and installing software. Automated update attacks require the adversary to host a payload and then trigger the installation of the payload code.Mitigations
Validate software updates before installing.Related Weaknesses
| Weakness Name | |
|---|---|
CWE-494 |
Download of Code Without Integrity Check The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code. |
References
REF-697
New ransomware, old techniques: Petya adds worm capabilitiesMicrosoft Defender Security Research Team.
https://www.microsoft.com/security/blog/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/
Submission
| Name | Organization | Date | Date release |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation |
Modifications
| Name | Organization | Date | Comment |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation | Updated Activation_Zone, Attack_Motivation-Consequences, Attacker_Skills_or_Knowledge_Required, Description Summary, Injection_Vector, Payload, Payload_Activation_Impact, Solutions_and_Mitigations, Typical_Severity | |
| CAPEC Content Team | The MITRE Corporation | Updated Attack_Motivation-Consequences, Description Summary | |
| CAPEC Content Team | The MITRE Corporation | Updated Description, Notes | |
| CAPEC Content Team | The MITRE Corporation | Updated Description, Execution_Flow, Related_Attack_Patterns | |
| CAPEC Content Team | The MITRE Corporation | Updated Description, Example_Instances, Extended_Description, References, Resources_Required | |
| CAPEC Content Team | The MITRE Corporation | Updated Taxonomy_Mappings |
