Malware Opens the Door to XMRig Cryptominer'Crackonosh' Disables Antivirus Programs
Cyberattackers are using malware dubbed "Crackonosh" to disable many antivirus programs, paving the way for installation of the XMRig cryptominer, according to Avast. So far, this approach has generated more than $2 million in monero for the attackers over the last seven months, the security firm says.
"Crackonosh is distributed along with illegal, cracked copies of popular software and searches for and disables many popular antivirus programs as part of its anti-detection and anti-forensics tactics," Avast reports.
Avast listed 12 cracked games with which the malware is associated. Those include the popular NBA 2K19, Grand Theft Auto V and The Sims 4 Seasons.
The first instances of Crackonosh were spotted in December 2020, but Avast believes the malware is several years older.
"From all the wallets we found, there was one where we were able to find statistics. The pool sites showed payments of 9,000 XMR in total, that is with today prices over $2,000,000," Avast reports.
Avast's researchers found Crackonosh gains entry when a device's operator downloads a game or other software from an illegal or "gray area" website. It then drops three files - winrmsrv.exe, winscomrssrv.dll and winlogui.exe. - onto a targeted device.
The installer for the malicious download runs maintenance.vbs, which, in turn, runs serviceinstaller.msi, which runs the main malware package, servicseinstaller[.]exe.
"From the original compilation date of Crackonosh, we identified 30 different versions of serviceinstaller.exe, the main malware executable, from 31.1.2018 up to 23.11.2020. It is easy to find out that serviceinstaller.exe is started from a registry key created by maintenance.vbs," the report states.
If the malware decides the targeted device is "safe" to operate on it then installs the Crackonosh malware to %SystemRoot%system32 and one configuration file to %localappdata%ProgramsCommon and creates in the Windows Task scheduler the tasks InstallWinSAT to start maintenance.vbs and StartupCheckLibrary to start StartupcheckLibrary.vbs.
At the same time, Crackonosh stops Windows Update and replaces Window Security with a fake green tick tray icon, which falsely indicates to the user that the system is protected.
After the malware is installed, it waits for the computer owner to restart the system between seven and 10 times. Then the malware begins to make changes.
Its first move is to disable the computer's hibernation system, so the malware runs constantly. To cover its tracks, it also deletes serviceinstaller.msi and maintenance.vbs and - the important part - sets the system to boot to safe mode on the next restart.
"While the Windows system is in safe mode, antivirus software doesn't work. This can enable the malicious serviceinstaller.exe to easily disable and delete Windows Defender. It also uses WQL (Windows Management Instrumentation Query Language) to query all antivirus software installed," and if found, deletes the folders, Avast says. At this stage, XMRig is dropped, and it begins operations on every computer start.
In the report, Avast describes the files and scheduled tasks that need to be found and removed to delete the malware.
The researchers note that in some cases, a victim will see an error message caused by the malware, which indicates the system is infected.