What is this post about and what is the point of it?
This post is the product of me going “What are these mutexes Cisco is talking about in their Threat Roundup”?
How does “mutex” tie into malware and cyber security?
So the information here is gathered from multiple sources on the Internet and presented here for my learning – hopefully it will help you a bit as well. 🙂
TL:DR
Mutexes (mutants) are used to exclusively lock access to shared resources, such as shared memory. In terms of malware, they are some times used to ensure hosts are not re-infected after the initial infection.
Detection of mutexes-artifacts are limited and may not be the best option for detecting malware. But after analyzing malware used in an incident, mutexes may be applicable for
a) Detecting other systems with the same strand of malware and
b) vaccinating the end points.
Mutexes
As the result of a tumble into the rabbit hole of Computer Science revealed: It is very complex and a detailed description is way beyond the scope of this post.
But simply put; Mutex (Mutual exclusion) is a control to prevent race conditions where multiple processes want to enter its “critical section”, which is the phase in the program it utilize shared resources (such as shared memory).
If multiple applications were to read and write into the same space of shared memory… well, we see where that would be heading both in terms of operational stability and security.
Local v Named Mutex
There is two types of mutexes: Local/Unnamed and Named.
The main difference is that a local mutex exists only within the given process and a named mutex is global in context of the OS.
“Named mutex objects are used for inter-process synchronization because multiple applications can access the same mutex object. The mutex class is designed to protect a shared resource like memory, file handle or network connection from simultaneous access by multiple threads or processes” [1]
Sources for finding mutants
There are two places to find mutants on a systems
1) Enumerating Handles of running processes
2) Windows Kernel Namespace
Three tools that could be utilized: SysInternals Process Explorer, Handle (CLI) and WinObj.
Usage of mutex in Malware
From what I gather, the usage is varied. Some malware families make use of mutexes and some don’t. Some have hardcoded mutex names while others employ evasive techniques using dynamic and unique names for each infected system.
Looking at the Talos article here you can see that Emotet is not reported to use mutex values. Where as Sload, the malware uses a hardcoded mutex (35 occurences in 35 samples).
Blue Team – vaccination and incident response
While research done by SANS’ Lenny Zeltser shows it is technically possible to vaccinate systems based on mutexes, it would not be feasible keeping tabs on all malware families, every mutation, every technique employed to derive dynamic mutex values per system to proactively vaccinate systems.
But it would be possible, as he also points out in his post, to use mutexes (infection markers) to contain an outbreak in the context of an incident response.
The effectiveness of this strategy will however depend on if and how the malware uses mutex.
Vaccination can for instance be done through PowerShell
Note 1): Global
Note 2): This mutant is tied to the powershell process handle, so upon closing powershell.exe, the mutex will be released. There are multiple ways to tackle this obstacle, so use whatever one you find most convenient.
In the following example, powershell is launched with a hidden window and indefinite timeout (Press any key to continue….). Running the commands with -encodedCommand could also provide a oneliner to launch PowerShell.
powershell -windowstyle hidden -command {$mutex=New-object system.threading.mutex($true, "Global\MutexVaccine-global");timeout /t -1}
Endpoint optics
Thought I’d find it prudent to mention that Sysmon does not log mutexes so getting mutexes into a SIEM might be a tough job.
Threat Hunting through an EDR solution seems to be the best way to go here.
Sources/References
[1] https://www.techopedia.com/definition/28002/mutex-c
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
https://isc.sans.edu/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429/
https://www.sans.org/blog/looking-at-mutex-objects-for-malware-discovery-indicators-of-compromise/
https://zeltser.com/malware-vaccination-infection-markers/
https://en.wikipedia.org/wiki/Mutual_exclusion
https://docs.microsoft.com/en-us/dotnet/api/system.threading.mutex