New to CAPEC? Start Here
Home > CAPEC List > CAPEC-698: Install Malicious Extension (Version 3.9)  

CAPEC-698: Install Malicious Extension

Attack Pattern ID: 698
Abstraction: Detailed
View customized information:
+ Description

An adversary directly installs or tricks a user into installing a malicious extension into existing trusted software, with the goal of achieving a variety of negative technical impacts.

+ Extended Description

Many software applications allow users to install third-party software extensions/plugins that provide additional features and functionality. Adversaries can take advantage of this behavior to install malware on a system with relative ease. This may require the adversary compromising a system and then installing the malicious extension themself. An alternate approach entails masquerading the malicious extension as a legitimate extension. The adversary then convinces users to install the malicious component, via means such as social engineering, or simply waits for victims to unknowingly install the malware on their systems. Once the malicious extension has been installed, the adversary can achieve a variety of negative technical impacts such as obtaining sensitive information, executing unauthorized commands, observing/modifying network traffic, and more.

+ Likelihood Of Attack


+ Typical Severity


+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.542Targeted Malware
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
  1. Identify target(s): The adversary must first identify target software that allows for extensions/plugins and which they wish to exploit, such as a web browser or desktop application. To increase the attack space, this will often be popular software with a large user-base.

  1. Create malicious extension: Having identified a suitable target, the adversary crafts a malicious extension/plugin that can be installed by the underlying target software. This malware may be targeted to execute on specific operating systems or be operating system agnostic.

  1. Install malicious extension: The malicious extension/plugin is installed by the underlying target software and executes the adversary-created malware, resulting in a variety of negative technical impacts.

    Adversary-Installed: Having already compromised the target system, the adversary simply installs the malicious extension/plugin themself.
    User-Installed: The adversary tricks the user into installing the malicious extension/plugin, via means such as social engineering, or may upload the malware on a reputable extension/plugin hosting site and wait for unknowing victims to install the malicious component.
+ Prerequisites
The adversary must craft malware based on the type of software and system(s) they intend to exploit.
If the adversary intends to install the malicious extension themself, they must first compromise the target machine via some other means.
+ Skills Required
[Level: Medium]
Ability to create malicious extensions that can exploit specific software applications and systems.
[Level: Medium]
Optional: Ability to exploit target system(s) via other means in order to gain entry.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
Access Control
Read Data
Access Control
Modify Data
Access Control
Execute Unauthorized Commands
Alter Execution Logic
Gain Privileges
+ Mitigations
Only install extensions/plugins from official/verifiable sources.
Confirm extensions/plugins are legitimate and not malware masquerading as a legitimate extension/plugin.
Ensure the underlying software leveraging the extension/plugin (including operating systems) is up-to-date.
Implement an extension/plugin allow list, based on the given security policy.
If applicable, confirm extensions/plugins are properly signed by the official developers.
For web browsers, close sessions when finished to prevent malicious extensions/plugins from executing the the background.
+ Example Instances

In January 2018, Palo Alto's Unit 42 reported that a malicious Internet Information Services (IIS) extension they named RGDoor was used to create a backdoor into several Middle Eastern government organizations, as well as a financial institution and an educational institution. This malware was used in conjunction with the TwoFace webshell and allowed the adversaries to upload/download files and execute unauthorized commands. [REF-740]

In December 2018, it was reported that North Korea-based APT Kimusky (also known as Velvet Chollima) infected numerous legitimate academic organizations within the U.S., many specializing in biomedical engineering, with a malicious Google Chrome extension. Dubbed "Operation STOLEN PENCIL", the attack entailed conducting spear-phishing attacks to trick victims into installing a malicious PDF reader named "Auto Font Manager". Once installed, the malware allowed adversaries to steal cookies and site passwords, as well as forward emails from some compromised accounts. [REF-741]

+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping (also see parent)
Entry IDEntry Name
1176Browser Extensions
1505.004Server Software Component: IIS Components
+ References
[REF-740] Robert Falcone. "OilRig uses RGDoor IIS Backdoor on Targets in the Middle East". Palo Alto Networks. 2018-01-25. <>. URL validated: 2022-09-23.
[REF-741] ASERT Team. "STOLEN PENCIL Campaign Targets Academia". NETSCOUT. 2018-12-05. <>. URL validated: 2022-09-23.
+ Content History
Submission DateSubmitterOrganization
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
More information is available — Please select a different filter.
Page Last Updated or Reviewed: September 29, 2022