TH16601
Detected presence of software installers that perform unusual actions.
| priority | CI/CD status | severity | effort | SAFE level | SAFE assessment |
|---|---|---|---|---|---|
 | fail | high | high | 1 | tampering: fail Reason: dangerous install procedures |
About the issueโ
Most software applications use standardized installation formats for their distribution. Software installers are built from instructions written within installation scripts that act as blueprints for the distribution format assembly. Installation scripts declare the most important software properties, such as the default installation location, its external dependencies, and various actions that may occur during the installation process. Actions defined within the installation script are executed automatically during events such as software deployment, update, or removal. These events are used by software developers to set up the environment for nominal software use, or to perform cleanup upon software removal. However, installation scripts are commonly abused by threat actors to execute arbitrary commands on the deployment machine. It was detected that an installation script could execute commands that are not typically used during software installation. Such unusual commands resemble common threat actor tactics and are usually obscured by layers of cryptography, code obfuscation, anti-analysis features, and other detection evasion techniques.
How to resolve the issueโ
- Investigate reported detections.
- If the software intent does not relate to the reported behavior, investigate your build and release environment for software supply chain compromise.
- You should delay the software release until the investigation is completed, or until the issue is risk accepted.
- Consider rewriting the installation procedure without using the marked behaviors.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes. Analysis results are used to calculate incidence statistics for issues (policy violations) that Spectra Assure can detect in software packages.
This section is updated when new data becomes available.
Total amount of packages analyzed
- RubyGems: 203K
- Nuget: 735K
- PyPi: 838K
- NPM: 5.12M
- VS Code: 113K
- PS Gallery: 17K
Recommended readingโ
Hijack Execution Flow: Executable Installer File Permissions Weakness (External resource - MITRE ATT&CK)
Intrusion detection system evasion techniques (External resource - Wikipedia)