Malware

Crackonosh Monero miner made $2M after infecting 222,000 Win systems

Researchers have discovered a strain of cryptocurrency-mining malware, tracked as Crackonosh, that abuses Windows Safe mode to avoid detection.

Researchers from Avast have spotted a strain of cryptocurrency miner, tracked as Crackonosh, that abuses Windows Safe mode to avoid detection.

“While the Windows system is in safe mode antivirus software doesn’t work. This can enable the malicious Serviceinstaller.exe to easily disable and delete Windows Defender.” reads the analysis published by Avast.

The cryptocurrency miner spreads through illegal and cracked copies of popular software.

The researchers started investigating the threat after they became aware that the malware was disabling and uninstalling its antivirus from infected devices. Later the experts discovered that Crackonosh was also able to disable antivirus software from other major security vendors to avoid detection, including Windows Defender and Windows Update.

Crackonosh has been active since at least June 2018, upon executing an illegal or cracked copy of legitimate software, the malicious code drops an installer and a script that modifies the Windows registry to allow the main malware executable to run in Safe mode. Then the malicious code sets to boot in Safe Mode the system on the next startup. 

Upon rebooting the system, Crackonosh will scan for the existence of antivirus software and will attempt to disable them, the malware also wipes log system files.

“It also uses WQL to query all antivirus software installed SELECT * FROM AntiVirusProduct.” continues the report. “If it finds any of the following antivirus products it deletes them with rd <AV directory> /s /q command where <AV directory> is the default directory name the specific antivirus product uses. 

  • Adaware
  • Bitdefender
  • Escan
  • F-secure
  • Kaspersky
  • Mcafee (scanner only)
  • Norton
  • Panda

It has names of folders, where they are installed and finally it deletes %PUBLIC%\Desktop\.”

The malware deletes registry entries to stop Windows Defender and turn off automatic updates, it also replace Windows Defender with its own MSASCuiL.exe which puts the icon of Windows Security in the system tray. 

The final stage of the Crackonosh attack chain is the installation of the coinminer XMRig to mine the Monero (XMR) cryptocurrency.

According to Avast, Crackonosh operators made more than 9,000 Monero coins (around $2 million at current Monero price) and infected more than 222,000 Windows computers since 2018.

The malware continues to infect systems worldwide, experts estimated that roughly 1,000 devices are being hit each day. The experts already identified 30 different versions of the malware, with the latest one that was released in November 2020. 

Most of the victims are located the US, Brazil, India, Poland, and the Philippines.

“As long as people continue to download cracked software, attacks like these will continue and continue to be profitable for attackers,” Avast concludes. “The key take-away from this is that you really can’t get something for nothing and when you try to steal software, odds are someone is trying to steal from you.”

Avast published Indicators of Compromise (IoCs) for this threat.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Crackonosh)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

7 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

14 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.