Execution Guardrails: Mutual Exclusion
Other sub-techniques of Execution Guardrails (2)
ID | Name |
---|---|
.001 | Environmental Keying |
.002 | Mutual Exclusion |
Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time.(Citation: Microsoft Mutexes) While local mutexes only exist within a given process, allowing multiple threads to synchronize access to a resource, system mutexes can be used to synchronize the activities of multiple processes.(Citation: Microsoft Mutexes) By creating a unique system mutex associated with a particular malware, adversaries can verify whether or not a system has already been compromised.(Citation: Sans Mutexes 2012) In Linux environments, malware may instead attempt to acquire a lock on a mutex file. If the malware is able to acquire the lock, it continues to execute; if it fails, it exits to avoid creating a second instance of itself.(Citation: Intezer RedXOR 2021)(Citation: Deep Instinct BPFDoor 2023) Mutex names may be hard-coded or dynamically generated using a predictable algorithm.(Citation: ICS Mutexes 2015)
Procedure Examples |
|
Name | Description |
---|---|
GrimAgent |
GrimAgent uses the last 64 bytes of the binary to compute a mutex name. If the generated name is invalid, it will default to the generic `mymutex`.(Citation: Group IB GrimAgent July 2021) |
REvil |
REvil attempts to create a mutex using a hard-coded value to ensure that no other instances of itself are running on the host.(Citation: SecureWorks September 2019) |
PoisonIvy |
PoisonIvy creates a mutex using either a custom or default value.(Citation: FireEye Poison Ivy) |
SUNSPOT |
SUNSPOT creates a mutex using the hard-coded value ` {12d61a41-4b74-7610-a4d8-3028d2f56395}` to ensure that only one instance of itself is running.(Citation: CrowdStrike SUNSPOT Implant January 2021) |
Gazer |
Gazer creates a mutex using the hard-coded value `{531511FA-190D-5D85-8A4A-279F2F592CC7}` to ensure that only one instance of itself is running.(Citation: ESET Gazer Aug 2017) |
Black Basta |
Black Basta will check for the presence of a hard-coded mutex `dsajdhas.0` before executing.(Citation: Deep Instinct Black Basta August 2022) |
Mitigations |
|
Mitigation | Description |
---|---|
Do Not Mitigate |
This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended. |
References
- Shaul Vilkomir-Preisman and Eliran Nissan. (2023, May 10). BPFDoor Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game. Retrieved September 19, 2024.
- Microsoft. (2022, March 11). Mutexes. Retrieved September 19, 2024.
- Lenny Zeltser. (2015, March 9). How Malware Generates Mutex Names to Evade Detection. Retrieved September 19, 2024.
- Lenny Zeltser. (2012, July 24). Looking at Mutex Objects for Malware Discovery & Indicators of Compromise. Retrieved September 19, 2024.
- Joakim Kennedy and Avigayil Mechtinger. (2021, March 10). New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor. Retrieved September 19, 2024.
- Microsoft. (2023, February 8). CreateMutexA function (synchapi.h). Retrieved September 19, 2024.
- Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
- SecureWorks 2019, September 24 REvil/Sodinokibi Ransomware Retrieved. 2021/04/12
- Elastic. (n.d.). Abnormal Process ID or Lock File Created. Retrieved September 19, 2024.
- FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved September 19, 2024.
- CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
- ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
- Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.