| ID | B0023 |
| Objective(s) | Execution |
| Related ATT&CK Techniques | None |
| Version | 2.1 |
| Created | 1 August 2019 |
| Last Modified | 13 September 2023 |
Malware installs another, different program on the system. The additional program can be any secondary module as exemplified by backdoors, malicious drivers, kernel modules, and OS X Apps.
There are various ways to accomplish the installation. For example, malicious code can beacon to a C2 node for download of an additional program including updates (see Ingress Tool Transfer (E1105)), which is then executed and installed [1]. A threat actor can achieve the same goal using a dropper embedded in the binary files of the original executable or using API calls to extract resource files that are in fact hidden executables. Extracted files are then dropped to the disk.
Examples of droppers include malicious • Microsoft Excel files • ISO image files • self-extracting zip or archives files, which in turn may contain a second stage dropper as part of the payload [2] [3].
Droppers may be described as “single stage” or “two stage.” While the former embeds the malicious code internally, the latter installs itself before downloading additional code from a remote location [4].
| Name | Date | Method | Description |
|---|---|---|---|
| WebCobra | 2018 | -- | The malware downloads and executes Claymore's Zcash miner from a remote server. [5] |
| Geneio | 2015 | -- | Malware tricks OS X keychain to create application files. Malware also installs the browser extension Omnibar.safariextz. [14] |
| GoBotKR | 2019 | -- | GoBotKR reinstalls its running instance if it is removed. [7] |
| MazarBot | 2016 | -- | MazarBot installs a backdoor. [18] |
| Mebromi | 2011 | -- | Malware contains a dropper that installs additional programs like Cbrom.exe. [15] |
| YiSpecter | 2015 | -- | The malware can download and install arbitrary iOS apps. [17] |
| UP007 | 2016 | -- | The malware is a dropper that creates multiple files. [8] |
| CozyCar | 2010 | -- | Upon execution, CozyCar drops a decoy file and a secondary dropper. [9] |
| Clipminer | 2011 | -- | Clipminer drops a file masquerading as a Control Panel (CPL) file. [10] |
| Vobfus | 2016 | -- | Vobfus downloads malware from other malware families. [11] |
| Matanbuchus | 2021 | -- | Malware drops the first loader which is responsible for loading the main loader into memory. [12] [13] |
| SearchAwesome | 2018 | -- | The malware installs an open-source program called mitmproxy. [16] |
| Dark Comet | 2008 | -- | The malware contains an embedded PE file. [19] |
| Gamut | 2014 | -- | Gamut contains an embedded PE file. [19] |
| Redhip | 2011 | -- | Redhip contains an embedded PE file. [19] |
| ElectroRAT | 2020 | -- | ElectroRat looks for wallets to steal cryptocurrency. [20] |
| Tool: capa | Mapping | APIs |
|---|---|---|
| contain an embedded PE file | Install Additional Program (B0023) | |
| write and execute a file | Install Additional Program (B0023) |
"Cyclops Blink: Malware Analysis Report, Version 1.0," National Cyber Security Centre/GCHQ, 23 Feb. 2022. [Online]. Available: https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf.
Threat Hunter Team,"Shuckworm: Espionage Group Continues Intense Campaign Against Ukraine," Symantec, Enterprise Blogs/Threat Intelligence, 20 Apr. 2022. [Online]. Available: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-intense-campaign-ukraine.
"What's behind APT29? | How they attack: the story of our hunt for the CozyDuke cybercriminal group," Kaspersky.com, [Online]. Available: https://www.kaspersky.com/enterprise-security/mitre/apt29.
"Dropper," Computersecurity.fandom.com, wiki, [Online]. Available: https://computersecurity.fandom.com/wiki/Dropper.
[5] https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/
[6] https://www.fortinet.com/blog/threat-research/deep-analysis-of-driver-based-mitm-malware-itranslator.html
[7] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
[8] https://citizenlab.ca/2016/04/between-hong-kong-and-burma/
[9] https://unit42.paloaltonetworks.com/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke
[10] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clipminer-bitcoin-mining-hijacking
[11] https://securitynews.sonicwall.com/xmlpost/revisiting-vobfus-worm-mar-8-2013/
[12] https://www.0ffset.net/reverse-engineering/matanbuchus-loader-analysis/
[13] https://www.cyberark.com/resources/threat-research-blog/inside-matanbuchus-a-quirky-loader
[14] https://blog.malwarebytes.org/mac/2015/08/genieo-installer-tricks-keychain/
[15] https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/
[16] https://www.malwarebytes.com/blog/news/2018/10/mac-malware-intercepts-encrypted-web-traffic-for-ad-injection
[17] https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/
[18] https://us.norton.com/internetsecurity-emerging-threats-mazar-bot-malware-invades-and-erases-android-devices.html
[19] capa v4.0, analyzed at MITRE on 10/12/2022
[20] https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/