Crackonosh Monero miner made $2M after infecting 222,000 Win systems

Pierluigi Paganini June 27, 2021

Researchers have discovered a strain of cryptocurrency-mining malware, tracked as Crackonosh, that abuses Windows Safe mode to avoid detection. 

Researchers from Avast have spotted a strain of cryptocurrency miner, tracked as Crackonosh, that abuses Windows Safe mode to avoid detection.

“While the Windows system is in safe mode antivirus software doesn’t work. This can enable the malicious Serviceinstaller.exe to easily disable and delete Windows Defender.” reads the analysis published by Avast.

The cryptocurrency miner spreads through illegal and cracked copies of popular software.

The researchers started investigating the threat after they became aware that the malware was disabling and uninstalling its antivirus from infected devices. Later the experts discovered that Crackonosh was also able to disable antivirus software from other major security vendors to avoid detection, including Windows Defender and Windows Update.

Crackonosh has been active since at least June 2018, upon executing an illegal or cracked copy of legitimate software, the malicious code drops an installer and a script that modifies the Windows registry to allow the main malware executable to run in Safe mode. Then the malicious code sets to boot in Safe Mode the system on the next startup. 

Upon rebooting the system, Crackonosh will scan for the existence of antivirus software and will attempt to disable them, the malware also wipes log system files.

“It also uses WQL to query all antivirus software installed SELECT * FROM AntiVirusProduct.” continues the report. “If it finds any of the following antivirus products it deletes them with rd <AV directory> /s /q command where <AV directory> is the default directory name the specific antivirus product uses. 

  • Adaware
  • Bitdefender
  • Escan
  • F-secure
  • Kaspersky
  • Mcafee (scanner only)
  • Norton
  • Panda

It has names of folders, where they are installed and finally it deletes %PUBLIC%\Desktop\.”

The malware deletes registry entries to stop Windows Defender and turn off automatic updates, it also replace Windows Defender with its own MSASCuiL.exe which puts the icon of Windows Security in the system tray. 

The final stage of the Crackonosh attack chain is the installation of the coinminer XMRig to mine the Monero (XMR) cryptocurrency.

According to Avast, Crackonosh operators made more than 9,000 Monero coins (around $2 million at current Monero price) and infected more than 222,000 Windows computers since 2018.

The malware continues to infect systems worldwide, experts estimated that roughly 1,000 devices are being hit each day. The experts already identified 30 different versions of the malware, with the latest one that was released in November 2020. 

Most of the victims are located the US, Brazil, India, Poland, and the Philippines.


“As long as people continue to download cracked software, attacks like these will continue and continue to be profitable for attackers,” Avast concludes. “The key take-away from this is that you really can’t get something for nothing and when you try to steal software, odds are someone is trying to steal from you.”

Avast published Indicators of Compromise (IoCs) for this threat.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Crackonosh)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment