Security researchers from Avast discovered a previously undocumented Windows cryptocurrency mining malware that has infected over 200,000 Windows systems worldwide since at least 2018. The malware, dubbed ‘Crackonosh’, is distributed along with pirated or cracked versions of popular software.
The main purpose of Crackonosh is to install the coinminer called XMRig on infected machines. Since 2018, the malware’s operator has made more than 9,000 Monero coins (approx. $2 million) after infecting 222,000 Windows systems across the world, with the majority of victims located in the U.S., Brazil, India, Poland, and the Philippines.
Once a victim installed illegal or cracked copy of legitimate software containing Crackonosh, the malicious code drops an installer and a script that replaces the critical Windows system files such as "serviceinstaller.msi" and "maintenance.vbs", disables hibernation mode on the infected system and sets the system to boot to safe mode on the next restart.
While the Windows system is in safe mode antivirus software doesn’t work, which allows the threat actor to disable and delete Windows Defender, as well as other antivirus solutions and turn off automatic updates. The malware also replaces Windows Defender with its own MSASCuiL.exe which puts the icon of Windows Security in the system tray.
The researchers said they identified 30 different versions of the malware executable, with the latest one released in November, 2020.
“As long as people continue to download cracked software, attacks like these will continue to be profitable for attackers. The key take-away from this is that you really can’t get something for nothing and when you try to steal software, odds are someone is trying to steal from you,” Avast security researcher Daniel Beneš said.