| ID | B0023 |
| Objective(s) | Execution |
| Related ATT&CK Techniques | None |
| Version | 2.0 |
| Created | 1 August 2019 |
| Last Modified | 21 November 2022 |
Installs another, different program on the system. The additional program can be any secondary module; examples include backdoors, malicious drivers, kernel modules, and OS X Apps.
Malware that installs another component is called a "dropper." If the code is contained in the malware, it's a "single stage" dropper; "two stage" droppers download the code from a remote location (the associated download behavior is covered by the Ingress Tool Transfer (E1105) behavior.
| Name | Date | Method | Description |
|---|---|---|---|
| WebCobra | November 2018 | -- | Drops software to mine for cryptocurrency. [1] |
| Geneio | August 2015 | -- | Tricks OS X keychain to create application files. |
| GotBotKR | July 2019 | -- | GotBotKR reinstalls its running instance if it is removed. [3] |
| MazarBot | 2016 | -- | Installs a backdoor. |
| Mebromi | 2011 | -- | A Trojan downloader. |
| YiSpecter | 2015 | -- | Can download and install arbitrary iOS apps. |
| UP007 | 2016 | -- | The malware is a dropper that creates multiple files [4] |
| CozyCar | 2010 | -- | Upon execution, CozyCar drops a decoy file and a secondary dropper [5] |
| Clipminer | 2011 | -- | Clipminer drops a file masquerading as a Control Panel (CPL) file [6] |
[1] https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/
[2] https://www.fortinet.com/blog/threat-research/deep-analysis-of-driver-based-mitm-malware-itranslator.html
[3] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
[4] https://citizenlab.ca/2016/04/between-hong-kong-and-burma/
[5] https://unit42.paloaltonetworks.com/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke
[6] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clipminer-bitcoin-mining-hijacking