Η Microsoft informed recently Windows Defender to prevent viewing of excluded folders and files without administrator rights.
This is a significant change, as many malicious users they often use this information to hide malware in folders that Windows Defender doesn't scan.
However, this cannot stop a new botnet called Kraken which was recently discovered by ZeroFox. This is because Kraken adds itself as an exception instead of trying to find out which folders have been excluded. It's a relatively simple and effective way to bypass the Windows Defender scan.
ZeroFox reports:
During the Kraken installation phase, it tries to move to% AppData% \ Microsoft.
To stay hidden, Kraken runs the following commands:
powershell -Command Add-MpPreference -ExclusionPath% APPDATA% \ Microsoft attrib + S + H% APPDATA% \ Microsoft \
ZeroFox reports that Kraken is an information theft malware associated with cryptocurrency wallets.
ZeroFox reports:
It can steal various cryptocurrency wallets from the following sites:
%AppData%\Zcash %AppData%\Armory %AppData%\bytecoin %AppData%\Electrum\wallets %AppData%\Ethereum\keystore %AppData%\Exodus\exodus.wallet %AppData%\Guarda\Local Storage\leveldb %AppData%\atomic\Local Storage\leveldb %AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
You can find more information about how Kraken works at blog of the company.