Avast researchers report about cryptocurrency mining malware that abuses Windows Safe mode and has likely generated millions of dollars over the past few years.
The latest version of Crackonosh, as Avast dubbed it, infects computers through the cracked software also known as “warez” which is distributed on various torrent sites and forums.
All started from reports about a sudden loss of Avast antivirus software on Reddit. The team at Avast investigated the matter and discovered it was caused by a malware infection.
The Crackonosh malware has been active since June 2018. Victims unwittingly deploy it together with a cracked version of the software they downloaded on their Windows computers.
The infection chain then moves to the Registry modification script and an installer. The scrip is necessary to allow the main malware executable Serviceinstaller.exe to run in Safe mode. The infected system is then rebooted in Safe Mode and malware has free rein:
“While the Windows system is in safe mode, antivirus software doesn’t work,” the researchers say. “This can enable the malicious Serviceinstaller.exe to easily disable and delete Windows Defender. It also uses WQL to query all antivirus software installed SELECT * FROM AntiVirusProduct.”
Once in Safe Mode, Crackonosh can remove antivirus programs including Avast, Kaspersky, McAfee’s scanner, Norton, and Bitdefender. The logs will then be wiped clean to evade detection.
In addition, crackonosh will try to stop Windows Update and replace Windows Security’s icon with a simple green tick icon to confuse the user.
Finally, it will run XMRig, a cryptocurrency miner that enables hackers to mine Monero using the victim’s hardware.
According to Avast, Crackonosh has made over $2 million from its operators.
Over 222,000 machines have been infected, researchers estimate, and 1,000 new ones are being hit each day.
There are 30 variants of the malware, and the latest version was released in November 2020. It has been identified that around 30 variants of the virus have been affected.
“As long as people continue to download cracked software, attacks like these will continue and continue to be profitable for attackers,” Avast says. “The key take-away from this is that you really can’t get something for nothing and when you try to steal software, odds are someone is trying to steal from you.”