Crackonosh Malware Exploits Windows Safe Mode to Mine Cryptocurrency Secretly

 

Researchers have uncovered a variant of cryptocurrency-mining malware that exploits Windows Safe Mode during attacks. 

Researchers at Avast have termed the malware Crackonosh, and it spreads through pirated and cracked software, which may be found through torrents, forums, and "warez" websites. 

Upon seeing reports on Reddit of Avast antivirus users who were concerned about the sudden disappearance of the antivirus program from their system files, the team investigated the matter and discovered it was the result of a malware infection. 

Since at least June 2018, Crackonosh has been in circulation, and when a victim runs a file that they think is a cracked version of genuine software, the virus gets installed as well. The infection chain starts with the distribution of an installer and a script that changes the Windows registry to allow the main malware executable to run in Safe mode. On the subsequent startup, the infected system is set to launch in Safe Mode. 

The researchers stated, "While the Windows system is in safe mode antivirus software doesn't work. This can enable the malicious Serviceinstaller.exe to easily disable and delete Windows Defender. It also uses WQL to query all antivirus software installed SELECT * FROM AntiVirusProduct." 

Crackonosh scans for antivirus software, such as Avast, Kaspersky, McAfee's scanner, Norton, and Bitdefender, and attempt to disable or destroy them. The log system files are then deleted to erase the evidence. Crackonosh also tries to disable Windows Update and replace Windows Security with a phoney green tick tray icon. 

The deployment of XMRig, a cryptocurrency miner that leverages system power and resources to mine the Monero (XMR) cryptocurrency, is the last step in the journey. 

According to Avast, Crackonosh has generated at least $2 million in Monero for its operators at today's pricing, with over 9000 XMR coins mined. Around 1,000 devices are infected each day and over 222,000 machines affected worldwide. There are 30 different variations of the malware, with the most recent one being released in November 2020. 

Avast stated, "As long as people continue to download cracked software, attacks like these will continue and continue to be profitable for attackers. The key take-away from this is that you really can't get something for nothing and when you try to steal software, odds are someone is trying to steal from you."