Beware: New Kraken botnet easily fools Windows Defender and steals Crypto wallet data

Gandalf_The_Grey

Level 61
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,045
Microsoft recently made an update to Window Defender Exclusions permission whereby it is no longer possible to view the excluded folders and files without administrator rights. This is a significant change as threat actors would often use this information to deliver malicious payloads inside such excluded directories in order to bypass Defender scans.

However, this may not be able to stop a new botnet called Kraken which was recently discovered by ZeroFox. That's because Kraken simply adds itself as an exclusion instead of trying to look for excluded places to deliver the payload. This is a relatively simple and effective way to bypass Windows Defender scan.

ZeroFox has explained how this works:

During Kraken’s installation phase, it attempts to move itself into %AppData%\Microsoft.
[...]
To stay hidden, Kraken runs the following two commands:
  1. powershell -Command Add-MpPreference -ExclusionPath %APPDATA%\Microsoft
  2. attrib +S +H %APPDATA%\Microsoft\
ZeroFox noted that Kraken is mainly a stealer malware, similar to the recently discovered Microsoft Windows 11 lookalike website. The security firm adds that Kraken's capabilities now include the ability to steal information related to users' cryptocurrency wallets, reminiscent of the recent fake KMSPico Windows activator malware.
 

Andy Ful

Level 81
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,005
Microsoft recently made an update to Window Defender Exclusions permission whereby it is no longer possible to view the excluded folders and files without administrator rights
...
However, this may not be able to stop a new botnet called Kraken which was recently discovered by ZeroFox.

It seems that the author of the neowin.net article misunderstood the original ZeroFox article:
The neowin.net annotation about the update of the Defender exclusion permissions could make some sense in the article about Kraken if the malware could add exclusions without Administrator rights. But this is not possible. The update cannot have any impact on the malware running with admin rights.
Of course, in the original ZeroFox article the author did not make this mistake and did not mention the Defender's update, at all.(y)
 
Last edited:

cruelsister

Level 39
Verified
Helper
Top poster
Content Creator
Well-known
Apr 13, 2013
2,847
Malware like this stealer demonstrates the need for malware protection that includes an Outbound alerting Firewall (malware can't steal what they cannot send). Even better is CF, which will in addition to detecting the Outbound traffic will (even at Partially Limited containment) detect and prevent the Powershell scripts from running and creating Registry entries that will make the changes to with WD as well as the dropping of the Hidden System malicious spawn (with persistence). Also stuff like the Whoami command (haven't seen that one in a while) will be prevented.
 
Last edited:

Andy Ful

Level 81
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,005
CF can be successful in most cases. But, In highly targeted attacks even CF can be compromised. For example, in the lateral movement, the attacker with Administrator privileges can remotely use PowerShell to change the registry keys, create scheduled tasks, run a keylogger written in PowerShell, abuse LOLBins, etc. Scripts can be also used as custom loaders of encoded PE executables to avoid auto-sandbox.
These actions can be contained only if the PowerShell (and other scripting interpreters) are set in CF to run in the sandbox.