Microsoft recently updated Windows Defender to disallow it projection folders and files that have been excluded without administrator rights.
This is a significant change, as many malicious users often use this information to hide malware in folders not controlled by Windows Defender.
However, this cannot stop a new botnet called Kraken which was recently discovered by ZeroFox. This is because Kraken adds itself as an exception instead of trying to find out which folders have been excluded. It's a relatively simple and effective way to bypass the Windows Defender scan.
ZeroFox reports:
During the Kraken installation phase, it tries to move to% AppData% \ Microsoft.
To stay hidden, Kraken runs the following commands:
powershell -Command Add-MpPreference -ExclusionPath %APPDATA%\Microsoft attrib +S +H %APPDATA%\Microsoft\
ZeroFox reports that Kraken is malware theftof information related to cryptocurrency wallets.
ZeroFox reports:
It can steal various cryptocurrency wallets from the following sites:
% AppData% \ Zcash% AppData% \ Armory% AppData% \ bytecoin% AppData% \ Electrum \ wallets% AppData% \ Ethereum \ keystore% AppData% \ Exodus \ exodus.wallet% AppData% \ Guarda \ Local Storage \ leveldb% AppData % \ atomic \ Local Storage \ leveldb% AppData% \ com.liberty.jaxx \ IndexedDB \ file__0.indexeddb.leveldb
You can find more information about how Kraken works at blog of the company.