| ID | B0024 |
| Objective(s) | Execution |
| Related ATT&CK Techniques | None |
| Version | 2.0 |
| Created | 1 August 2019 |
| Last Modified | 8 May 2023 |
To avoid running multiple instances of itself, malicious code may check a system to see if it is already running. To accomplish this, malware authors use a mutex (mutual exclusion), also known as a mutant, to evaluate whether a system has been infected. If the mutex is running, the system is likely already compromised and there is no need to re-infect the host [1]. A mutex also serializes access to a resource so that multiple parties do not attempt simultaneous access [2].
| Name | Date | Method | Description |
|---|---|---|---|
| Bagle | 2004 | -- | Some variants look for an unnamed mutex to ensure only one copy of itself is running on a system. [3] |
[1] M. Elias,"Prime Minister’s Office Compromised: Details of Recent Espionage Campaign," Trellix.com, 25 Jan. 2022. [Online]. Available: https://www.trellix.com/en-us/about/newsroom/stories/research/prime-ministers-office-compromised.html. [2] Contributors: S. White, K. Sharkey, D. Coulter, D. Batchelor, and M. Satran, "Mutex Objects," learn.microsoft.com, 07 Jan. 2021. [Online]. Available: https://learn.microsoft.com/en-us/windows/win32/sync/mutex-objects. [3] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/WORM_BAGLE.U/