ID | B0023 |
Objective(s) | Execution |
Related ATT&CK Techniques | None |
Version | 2.0 |
Created | 1 August 2019 |
Last Modified | 21 November 2022 |
Installs another, different program on the system. The additional program can be any secondary module; examples include backdoors, malicious drivers, kernel modules, and OS X Apps.
Malware that installs another component is called a "dropper." If the code is contained in the malware, it's a "single stage" dropper; "two stage" droppers download the code from a remote location (the associated download behavior is covered by the Ingress Tool Transfer (E1105) behavior.
Name | Date | Method | Description |
---|---|---|---|
WebCobra | November 2018 | -- | Drops software to mine for cryptocurrency. [1] |
Geneio | August 2015 | -- | Tricks OS X keychain to create application files. |
GotBotKR | July 2019 | -- | GotBotKR reinstalls its running instance if it is removed. [3] |
MazarBot | 2016 | -- | Installs a backdoor. |
Mebromi | 2011 | -- | A Trojan downloader. |
YiSpecter | 2015 | -- | Can download and install arbitrary iOS apps. |
UP007 | 2016 | -- | The malware is a dropper that creates multiple files [4] |
CozyCar | 2010 | -- | Upon execution, CozyCar drops a decoy file and a secondary dropper [5] |
Clipminer | 2011 | -- | Clipminer drops a file masquerading as a Control Panel (CPL) file [6] |
[1] https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/
[2] https://www.fortinet.com/blog/threat-research/deep-analysis-of-driver-based-mitm-malware-itranslator.html
[3] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
[4] https://citizenlab.ca/2016/04/between-hong-kong-and-burma/
[5] https://unit42.paloaltonetworks.com/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke
[6] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clipminer-bitcoin-mining-hijacking