Microsoft recently made an update to Window Defender Exclusions permission whereby it is no longer possible to view the excluded folders and files without administrator rights. This is a significant change as threat actors would often use this information to deliver malicious payloads inside such excluded directories in order to bypass Defender scans.
However, this may not be able to stop a new botnet called Kraken which was recently discovered by ZeroFox. That's because Kraken simply adds itself as an exclusion instead of trying to look for excluded places to deliver the payload. This is a relatively simple and effective way to bypass Windows Defender scan.
ZeroFox has explained how this works:
During Kraken’s installation phase, it attempts to move itself into %AppData%\Microsoft.
To stay hidden, Kraken runs the following two commands:
powershell -Command Add-MpPreference -ExclusionPath %APPDATA%\Microsoft
attrib +S +H %APPDATA%\Microsoft\
ZeroFox noted that Kraken is mainly a stealer malware, similar to the recently discovered Microsoft Windows 11 lookalike website. The security firm adds that Kraken's capabilities now include the ability to steal information related to users' cryptocurrency wallets, reminiscent of the recent fake KMSPico Windows activator malware.
The most recent feature addition is the ability to steal various cryptocurrency wallets from the following locations:
- %AppData%\Guarda\Local Storage\leveldb
- %AppData%\atomic\Local Storage\leveldb
You can find more details about how Kraken works in the official blog post.