Installer Packages (T1546.016)
Installer Packages [T1546.016]
Last updated
Installer Packages [T1546.016]
Last updated
Name: Installer Packages
ID: T1546.016
Tactics: ,
Technique:
Installer Packages (T1546.016) is a sub-technique under the MITRE ATT&CK framework's Persistence tactic. Attackers exploit legitimate software installation packages—such as MSI files on Windows or package installers on macOS—to maintain persistence on compromised systems. By embedding malicious scripts or binaries within installer packages, adversaries can ensure their payloads execute automatically during installation, updates, or system boot, thus establishing long-term footholds on targeted systems.
Installer packages are typically trusted by users and system administrators, making them an attractive vector for adversaries to maintain persistence. Attackers exploit the inherent trust and functionality of installer packages to embed malicious payloads or scripts.
Key technical aspects include:
Windows MSI Installer Packages:
MSI packages are Windows Installer files containing instructions and resources for software installations.
Attackers may insert malicious custom actions, scripts, or binaries into MSI files.
Custom actions can execute arbitrary code during installation, repair, or uninstallation phases.
Malicious MSI packages may be distributed via phishing emails, compromised websites, or software supply chain attacks.
macOS Installer Packages (.pkg files):
macOS installer packages (.pkg) can contain scripts executed pre- or post-installation.
Attackers leverage preinstall or postinstall scripts to execute malicious commands or install persistence mechanisms.
Malicious packages can be signed or unsigned; signed packages may evade initial security checks and appear legitimate to end-users.
Linux Package Managers (deb, rpm, etc.):
Linux systems rely on package managers (APT, YUM, DNF, RPM) for software installation and updates.
Attackers may compromise repositories or individual packages, embedding malicious scripts that execute during installation or upgrade processes.
Post-installation scripts embedded in packages can establish persistent backdoors or scheduled tasks.
Typical execution mechanisms include:
Embedding malicious scripts or binaries within legitimate installation packages.
Exploiting custom actions or installation scripts to execute malicious payloads during setup.
Leveraging legitimate package management commands to conceal malicious activities within standard installation processes.
Installer Packages (T1546.016) can appear throughout various stages of an attack lifecycle, particularly in the following scenarios:
Initial Access and Delivery:
Attackers distribute malicious installer packages through phishing emails, compromised websites, or software supply chain attacks to gain initial footholds.
Persistence and Privilege Escalation:
Adversaries use installer packages to maintain persistent access by embedding scripts or binaries that execute during system boot, updates, or user logins.
Installer packages may run with elevated privileges, enabling attackers to escalate privileges and maintain deeper access.
Software Supply Chain Attacks:
Attackers compromise legitimate software vendors or repositories, embedding malicious payloads into trusted installation packages.
Users unknowingly install malicious packages, providing attackers persistent and widespread access.
Detection of malicious installer packages typically involves a combination of behavioral, signature-based, and anomaly detection methods:
Behavioral Analysis and Endpoint Detection:
Monitor unusual execution of scripts or binaries during software installation processes.
Endpoint Detection and Response (EDR) solutions can identify suspicious custom actions or post-installation scripts executed by installer packages.
Analyze process trees to detect unexpected child processes spawned by installer or package manager executables.
Integrity Verification and Hash Checking:
Verify cryptographic hashes or digital signatures of installer packages against known-good values.
Utilize file integrity monitoring (FIM) tools to detect unauthorized changes or tampering of installation packages.
Monitoring Package Manager Logs:
Regularly review logs from package managers (APT, YUM, RPM, Windows Installer logs) for unusual installations or updates.
Identify installations originating from untrusted repositories or unexpected sources.
Network Traffic Analysis:
Monitor outbound network traffic during installation processes to detect command-and-control (C2) communications or suspicious downloads triggered by malicious scripts.
Indicators of Compromise (IoCs) include:
Unusual or unexpected installer packages appearing on endpoints.
Suspicious custom actions or scripts embedded within MSI, PKG, or RPM files.
Installer packages originating from unknown or untrusted sources.
Unexpected network connections or downloads during installation processes.
Detecting malicious installer packages is critical due to the severe impacts they can have on systems and networks:
Persistent Access: Installer packages allow attackers to establish long-term persistence on compromised systems, providing continuous access even after reboots or software updates.
Privilege Escalation: Malicious installers often execute with elevated privileges, enabling attackers to escalate privileges and compromise critical system components.
Supply Chain Risks: Compromised installer packages distributed through trusted channels can lead to widespread compromise across multiple organizations and systems.
Data Theft and Exfiltration: Attackers leveraging installer packages can deploy payloads that steal sensitive data, credentials, or intellectual property, resulting in significant financial and reputational damage.
System Stability and Integrity: Malicious installations can degrade system performance, stability, and integrity, leading to operational disruptions and increased remediation costs.
Early detection reduces the impact of these attacks, limits adversary dwell time, and allows organizations to respond swiftly to mitigate damage.
Real-world examples of attacks leveraging Installer Packages (T1546.016) include:
SolarWinds Supply Chain Attack (2020):
Attackers compromised the SolarWinds Orion software update mechanism, embedding malicious code into legitimate installer packages.
Malicious updates were distributed to thousands of customers, including government agencies and Fortune 500 companies.
Attackers gained persistent and privileged access, leading to widespread espionage and data exfiltration.
CCleaner Supply Chain Attack (2017):
Adversaries compromised CCleaner's installer package, embedding a malicious payload into the legitimate software distribution channel.
Approximately 2.3 million users downloaded the compromised installer, unknowingly installing malware.
Attackers gained persistent access, enabling further targeted attacks against select high-profile organizations.
XcodeGhost Malware (2015):
Attackers distributed compromised versions of Apple's Xcode development software, embedding malicious components within installer packages.
Developers unknowingly compiled malware into legitimate iOS applications, resulting in widespread infection and persistent access across numerous devices.
Operation ShadowHammer (ASUS Live Update Attack, 2019):
Attackers compromised ASUS's Live Update utility, embedding malicious code into legitimate installer packages distributed via official channels.
Approximately one million users downloaded the compromised updates, enabling attackers to selectively target specific victims for further attacks.
In each scenario, attackers leveraged trusted installer packages to establish persistent, privileged access, underscoring the critical importance of detecting and mitigating this sub-technique.