| ID | B0023 |
| Objective(s) | Execution |
| Related ATT&CK Techniques | None |
| Version | 2.0 |
| Created | 1 August 2019 |
| Last Modified | 21 November 2022 |
Installs another, different program on the system. The additional program can be any secondary module; examples include backdoors, malicious drivers, kernel modules, and OS X Apps.
Malware that installs another component is called a "dropper." If the code is contained in the malware, it's a "single stage" dropper; "two stage" droppers download the code from a remote location (the associated download behavior is covered by the Ingress Tool Transfer (E1105) behavior.
| Name | Date | Method | Description |
|---|---|---|---|
| WebCobra | November 2018 | -- | Drops software to mine for cryptocurrency. [1] |
| Geneio | August 2015 | -- | Geneio installs the browser extension ~/Library/Safari/Extensions/Omnibar.safariextz. It also creates app files. [7] |
| GoBotKR | 2019 | -- | GoBotKR reinstalls its running instance if it is removed. [3] |
| MazarBot | 2016 | -- | Installs a backdoor. [8] |
| Mebromi | 2011 | -- | Malware contains a dropper that installs additional programs like Cbrom.exe. [9] |
| YiSpecter | 2015 | -- | Can download and install arbitrary iOS apps. [10] |
| CozyCar | 2010 | -- | Upon execution, CozyCar drops a decoy file and a secondary dropper [5] |
| Clipminer | 2011 | -- | Clipminer drops a file masquerading as a Control Panel (CPL) file [6] |
| Dark Comet | 2008 | -- | Contain an embedded PE file (This capa rule had 1 match) [11] |
| Gamut | 2014 | -- | Contain an embedded PE file (This capa rule had 1 match) [11] |
| Redhip | 2011 | -- | Contain an embedded PE file (This capa rule had 1 match) [11] |
| SearchAwesome | 2018 | -- | The malware installs an open-source program called mitmproxy. [12] |
| UP007 Malware Family | 2016 | -- | The malware is a dropper that creates multiple files [4] |
[1] https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/
[2] https://www.fortinet.com/blog/threat-research/deep-analysis-of-driver-based-mitm-malware-itranslator.html
[3] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
[4] https://citizenlab.ca/2016/04/between-hong-kong-and-burma/
[5] https://unit42.paloaltonetworks.com/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke
[6] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clipminer-bitcoin-mining-hijacking
[7] https://blog.malwarebytes.org/mac/2015/08/genieo-installer-tricks-keychain/
[8] https://us.norton.com/internetsecurity-emerging-threats-mazar-bot-malware-invades-and-erases-android-devices.html
[9] https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/
[10] http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/
[11] capa v4.0, analyzed at MITRE on 10/12/2022
[12] https://blog.malwarebytes.com/threat-analysis/2018/10/mac-malware-intercepts-encrypted-web-traffic-for-ad-injection/
[13] https://unit42.paloaltonetworks.com/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/