CAPEC-698 Install Malicious Extension – Attack Pattern Analysis

CAPEC-698 Metadata

Likelihood of Attack

Medium

Typical Severity

High

Overview

Summary

An adversary directly installs or tricks a user into installing a malicious extension into existing trusted software, with the goal of achieving a variety of negative technical impacts.

Prerequisites

The adversary must craft malware based on the type of software and system(s) they intend to exploit. If the adversary intends to install the malicious extension themself, they must first compromise the target machine via some other means.

Execution Flow

Step	Phase	Description	Techniques
1	Explore	[Identify target(s)] The adversary must first identify target software that allows for extensions/plugins and which they wish to exploit, such as a web browser or desktop application. To increase the attack space, this will often be popular software with a large user-base.
2	Experiment	[Create malicious extension] Having identified a suitable target, the adversary crafts a malicious extension/plugin that can be installed by the underlying target software. This malware may be targeted to execute on specific operating systems or be operating system agnostic.
3	Exploit	[Install malicious extension] The malicious extension/plugin is installed by the underlying target software and executes the adversary-created malware, resulting in a variety of negative technical impacts.	Adversary-Installed: Having already compromised the target system, the adversary simply installs the malicious extension/plugin themself. User-Installed: The adversary tricks the user into installing the malicious extension/plugin, via means such as social engineering, or may upload the malware on a reputable extension/plugin hosting site and wait for unknowing victims to install the malicious component.

Potential Solutions / Mitigations

Only install extensions/plugins from official/verifiable sources. Confirm extensions/plugins are legitimate and not malware masquerading as a legitimate extension/plugin. Ensure the underlying software leveraging the extension/plugin (including operating systems) is up-to-date. Implement an extension/plugin allow list, based on the given security policy. If applicable, confirm extensions/plugins are properly signed by the official developers. For web browsers, close sessions when finished to prevent malicious extensions/plugins from executing the the background.

Related Weaknesses (CWE)

CWE ID	Description
CWE-507	Trojan Horse
CWE-829	Inclusion of Functionality from Untrusted Control Sphere

Related CAPECs

CAPEC ID	Description
CAPEC-542	An adversary develops targeted malware that takes advantage of a known vulnerability in an organizational information technology environment. The malware crafted for these attacks is based specifically on information gathered about the technology environment. Successfully executing the malware enables an adversary to achieve a wide variety of negative technical impacts.

Taxonomy Mappings

Taxonomy: ATTACK

Entry ID	Entry Name
1176	Browser Extensions
1505.004	Server Software Component: IIS Components

Stay Ahead of Attack Patterns

Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.