Malware Mutexes in Cyber Threat Intelligence
Cyber threat intelligence feeds contain IoCs such as IP addresses, domains, and file hashes. They can also contain mutexes that identify malware. Mutex is a portmanteau of mutual exclusion, so named because it’s an object that prevents simultaneous access to a resource by multiple threads or processes. Mutexes are also called mutant objects and locks.
Maybe you’ve been in one of those meetings where only the person holding a colored paper is allowed to speak. In that case, the paper is the mutex, limiting speaking to one person at a time. For a software example, think of a cookie that can only be accessed by one process at a time, to prevent unwanted overwriting.
Mutexes are given names, which can act as signatures or fingerprints of the software they’re associated with. For example, some malware mutex names are gangrenb, crypt32LogOffPortEvent, )!VoqA.I4, global\setup_028746_mutexitem, defined_setnocandy, jhdheruhfrthkgjhtjkghjk5trh, _SHuassist.mtx, and iemate_Crash.
Mutex Use by Malware
Malware can use mutexes for the same reason as legitimate software (to manage access to shared resources), but malware can also use mutexes to avoid re-infecting the same device (which would increase the likelihood of detection). The malware checks for the presence of a mutex that shows it’s already infected the device, then avoids executing its infection process. It’s like an animal marking its territory.
Malware can look for the mutexes of other software to see what’s running on a system. For example, it can identify what EDR or antimalware software is running. It can also attempt to identify what other malware is on a system. Some malware will eliminate competing malware so it gains control of a system.
InfoSec is a cat-and-mouse game. As malware developers have become aware of the use of mutexes as IoCs, they’ve moved from static mutexes to dynamically generated ones, to decrease the likelihood of detection. This has decreased the value of mutexes as IoCs.
Mutexes in Cyber Threat Intelligence
Mutex names provide insights into the development of malware. They can reveal info about the malware author, the evolution of the malware, the availability or quality of code, and the reuse of functionality. Mutex names in legitimate software are rarely random (e.g., McAfeeVscanBofUpdateMutex), but mutex names in malware may be (e.g., jhdheruhfrthkgjhtjkghjk5trh).
The DC3 Malware Configuration Parser (DC3-MWCP) from the DoD Cyber Crime Center (DC3) can extract mutex names from malware, as well as other info such as addresses, passwords, and filenames. Thanks to CTI researcher William T. for making me aware of this.
When defenders (DFIR, malware analysis, CTI, etc.) discover mutexes used by malware, they can be included in threat intel feeds and malware databases. That way, automated or manual network defenses can monitor for those mutexes on the network, just as they’d monitor for other IoCs such as IP addresses, domains, and file hashes.
