Windows Malware that Mines for Crypto ‘Crackonosh’ Used by Hackers to Infect Gamers’ PCs
Crackonosh Malware Is Hiding in Free Versions of Games Which Are Available to Download on Torrent Sites.
Security specialists have recently discovered that Crackonosh, a new strain of cryptocurrency-mining malware dispensed through pirated and cracked versions of popular online games is destroying antivirus solutions and secretively mining cryptocurrency in multiple countries.
According to a report published online by researchers at security firm Avast, the so-called “Crackonosh” malware is being concealed in pirated versions of games such as NBA 2K19, Grand Theft Auto V, Far Cry 5, The Sims 4, and Jurassic World Evolution, which are available to download for free on torrent websites.
Crackonosh means “the mountain spirit” and is the subject of many legends and fairy tales in German, Polish, and Czech folklore, a reference to the analysts’ speculations that the malware’s developers are from the Czech Republic.
According to the report, the Crackonosh goal is to install the coinminer XMRig to mine Monero cryptocurrency from inside the cracked software downloaded to an impacted computer.
Cracked software is a version of commercial software that is usually free but often with a snag — the code of the software has been tampered with, typically to insert malware or for some other purpose beneficial to whoever cracked it.
Researchers stated that up to this point, cybercriminals have obtained over $2 million, or 9000 XMR in total, from the campaign.
Crackonosh malware also seems to be spreading fast, impacting 222,000 unique devices globally since December 2020. According to the report, as of May, the malware was still getting about 1,000 hits a day.
Researchers identified 30 different versions of serviceinstaller.exe, dating from Jan. 31, 2018, up to Nov. 23, 2020. This main executable of the malware is started from a registry key created by Maintenance.vbs, according to them.
Impacted regions so far:
- Philippines – 18,448 victims
- Brazil: 16,584
- India: 13,779
- Poland: 12,727
- The United States: 11,856
- The United Kingdom: 8,946
Crackonosh Operation Mode
Crackonosh malware has been found when people started reporting that their Avast antivirus programs were disappearing from their systems. Following the complaints, the team launched an investigation and realized malware was involved due to its ability to disable antivirus protection.
Crackonosh protects itself by disabling security software and updates and uses other anti-analysis techniques. These make it hard to discover, detect and remove.
The malware can delete or disable the following antivirus solutions utilizing rd <AV direthe ctory> /s /q the command where <AV directory> is the default directory name that the specific antivirus product uses: Avast, Kaspersky, McAfee’s scanner, Norton, and Bitdefender.
The infection chain starts with the drop of an installer and a script that changes the Windows registry to enable the main malware executable to function in Safe mode. The infected system is set to boot in Safe Mode on its next startup.
As stated by the researchers, while Windows is in Safe Mode antivirus solution doesn’t work allowing the malicious Serviceinstaller.exe to easily disable and delete Windows Defender.
In the place of Windows Defender, it installs its own MSASCuiL.exe which puts the icon of Windows Security to the system tray.
It also uses WQL to query all antivirus software installed SELECT * FROM AntiVirusProduct.”
The security researchers concluded:
As long as people continue to download cracked software, attacks like these will continue and continue to be profitable for attackers. The key take-away from this is that … when you try to steal software, odds are someone is trying to steal from you.