Prevent Concurrent Execution

September 20, 2023 · View on GitHub

ID B0024
Objective(s) Execution
Related ATT&CK Techniques None
Version 2.0
Created 1 August 2019
Last Modified 8 May 2023

Prevent Concurrent Execution

To avoid running multiple instances of itself, malicious code may check a system to see if it is already running. To accomplish this, malware authors use a mutex (mutual exclusion), also known as a mutant, to evaluate whether a system has been infected. If the mutex is running, the system is likely already compromised and there is no need to re-infect the host [1]. A mutex also serializes access to a resource so that multiple parties do not attempt simultaneous access [2].

Use in Malware

NameDateMethodDescription
Bagle2004--Some variants look for an unnamed mutex to ensure only one copy of itself is running on a system. [3]

References

[1] M. Elias,"Prime Minister’s Office Compromised: Details of Recent Espionage Campaign," Trellix.com, 25 Jan. 2022. [Online]. Available: https://www.trellix.com/en-us/about/newsroom/stories/research/prime-ministers-office-compromised.html. [2] Contributors: S. White, K. Sharkey, D. Coulter, D. Batchelor, and M. Satran, "Mutex Objects," learn.microsoft.com, 07 Jan. 2021. [Online]. Available: https://learn.microsoft.com/en-us/windows/win32/sync/mutex-objects. [3] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/WORM_BAGLE.U/