CAPEC-186 Malicious Software Update

CAPEC ID: 186

CAPEC-186 Metadata

Likelihood of Attack

High

Typical Severity

High

Overview

Summary

An adversary uses deceptive methods to cause a user or an automated process to download and install dangerous code believed to be a valid update that originates from an adversary controlled source.

Prerequisites

No prerequisites listed.

Execution Flow

Step Phase Description Techniques
1 Explore [Identify target] The adversary must first identify what they want their target to be. Because malicious software updates can be carried out in a variety of ways, the adversary will first not only identify a target program, but also what users they wish to target. This attack can be targeted (a particular user or group of users) or untargeted (many different users).
2 Experiment [Craft a deployment mechanism based on the target] The adversary must craft a deployment mechanism to deploy the malicious software update. This mechanism will differ based on if the attack is targeted or untargeted.
  • Targeted attack: hosting what appears to be a software update, then harvesting actual email addresses for an organization, or generating commonly used email addresses, and then sending spam, phishing, or spear-phishing emails to the organization's users requesting that they manually download and install the malicious software update.
  • Targeted attack: Instant Messaging virus payload, which harvests the names from a user's contact list and sends instant messages to those users to download and apply the update
  • Untargeted attack: Spam the malicious update to as many users as possible through unsolicited email, instant messages, or social media messages.
  • Untargeted attack: Send phishing emails to as many users as possible and pretend to be a legitimate source suggesting to download an important software update.
  • Untargeted attack: Use trojans/botnets to aid in either of the two untargeted attacks.
3 Exploit [Deploy malicious software update] Using the deployment mechanism from the previous step, the adversary gets a user to install the malicious software update.

Potential Solutions / Mitigations

Validate software updates before installing.

Related Weaknesses (CWE)

CWE ID Description
CWE-494 Download of Code Without Integrity Check

Related CAPECs

CAPEC ID Description
CAPEC-98 Phishing is a social engineering technique where an attacker masquerades as a legitimate entity with which the victim might do business in order to prompt the user to reveal some confidential information (very frequently authentication credentials) that can later be used by an attacker. Phishing is essentially a form of information gathering or "fishing" for information.
CAPEC-184 An attacker initiates a series of events designed to cause a user, program, server, or device to perform actions which undermine the integrity of software code, device data structures, or device firmware, achieving the modification of the target's integrity to achieve an insecure state.

Taxonomy Mappings

Taxonomy: ATTACK

Entry ID Entry Name
1195.002 Supply Chain Compromise: Compromise Software Supply Chain

Stay Ahead of Attack Patterns

Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.