Pirated versions of popular games such as Grand Theft Auto V, NBA 2K19 and Pro Evolution Soccer 2018 attract a large number of gamers as they can download these versions free from different forums. However, there might be a hidden cost associated with these pirated versions of popular games. It has been reported that threat artists are using the cracked or pirated versions of popular games to distribute malware. This malware aims at secretly mining cryptocurrency using the infected systems.
The threat has been identified as Crackonosh and has been found to be active since June 2018. The malware wipes out the antivirus programs installed on the target system and uses the system for mining cryptocurrency.
Understanding Crackonosh
The main aim of Crackonosh is to install XMRig on the infected system. XMRig is a coin miner which is then used by the threat actors to secretly mine Monero cryptocurrency using the cracked software downloaded on the infected machine. Reports suggest that the threat actors have mined over $2 Million, or 9000 XMR in total. As of May 2021, the malware was reported to be still getting about 1000 hits a day.
Here is a brief account of how the malware operates:
Disabling Antivirus
Crackonosh caught the eyes of researchers when a large number of people reported that Avast Antivirus programs were removed from their systems. The malware has the capability to remove antivirus software and disabling security software & updates in addition to the use of other anti-analysis techniques. This makes it harder to discover, detect and remove the malware. Crackonosh can delete antivirus programs that use the command - rd <AV directory> /s /q; where <AV directory> is the default directory name that specific antivirus product uses, for example Adaware, Bitdefender, Escan, F-secure, Kaspersky, McAfee (scanner only), Norton and Panda.
Infection Chain
Here is the brief infection process:
- The target downloads and installs the cracked or pirated software.
- The installer runs maintenance vbs and starts the installation process using msi.
- msi registers and runs the main malware executable serviceinstaller.exe.
- The executable installs a file titled DLL, which extracts winlogui.exe and downloads winscomrssrv.dll and winrmsrv.exe.
- These files are contained, decrypted and placed in the folder.
Disabling Windows Defender
The malware deletes Windows Defender and Windows Update by deleting a list of registry entries. The motive is to stop Windows Defender and turn off automatic updates. Later, it installs its own MSASCuiL.exe instead of Windows Defender, which adds a Windows Security icon to the system tray. This tricks the user and prevents him from discovering the removal of original Windows Defender.
Conclusion:
Crackonosh attack re-emphasizes on the fact ‘when you try to steal a software, chances are someone is trying to steal from you.’ Such attacks can be prevented by steering away from downloading and using pirated or cracked software. Also, stay cautious and download software from authentic developer.
Centex Technologies has a team of cyber security professionals who help clients in understanding latest cyber security threats and formulate an effective defense strategy. To know more about latest malware attacks, call Centex Technologies at (972) 375 - 9654.
ecb4d5dd-e4d4-40c5-8bb5-d5f40acf8045|0|.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04