Infection chain is the infosec term for a set of multistage attack tools, each of which downloads the next to an infected system with the goal of installing and running a payload.
In the realm of information security, the term infection chain can also refer to a list of hosts through which malicious code is downloaded to a browser when a user views a compromised page. Such schemes usually involve the use of several Web resources that access each other in sequence with the aim of running a script to initiate the download of malware. The term was adopted from biology, where it refers to the path by which an infection spreads within a group of people.
Why cybercriminals use infection chains
The main purpose of an infection chain is to deliver a payload and bypass detection tools; early-stage tools (downloaders) do not always have a malicious function and can be legitimate programs, so they are more difficult to detect. In addition, using a multistage approach increases an attack’s chances of achieving persistence in the system. (Persistence is sometimes the specific purview of one of the intermediate tools in the infection chain, which redelivers the payload into the system if it is removed.)
Infection chain elements
An infection chain’s core element is the payload — the destructive part of the malware. Attackers can deliver and launch the payload by means of a/an:
- Exploit — a tool that exploits software vulnerabilities to penetrate the target system;
- Dropper — a program with embedded malware that it secretly extracts and executes;
- Downloader — a program that downloads malware from online resources;
- Installer — a program responsible for decrypting, unpacking, assembling and configuring malware, and for placing its files in the target system.
Infection chain launch
Malware can be injected into a system through: