Crackonosh Malware

Crackonosh Malware Description

A new malware dropping a crypto-miner on infected machines has been brought to light in a recently released report by a cybersecurity company. Named Crackonosh, the threat is believed to have been active since at least 2018. According to the findings, the threatening campaign has managed to infect over 200,000 computers. The hackers deployed an XMRig payload and hijacked the resources of the breached devices to mine the Monero (XMR) cryptocurrency. It is estimated that the operators of Crackonosh have managed to generate around 9000 XМР, worth $2 million at the current  Monero exchange rate approximately.

Crackonosh's Attack Chain

The Crackonosh malware is first injected into popular software products that have been cracked and made available on distribution platforms known for hosting pirated products. By weaponizing cracked video games, the operators of the threat ensure that a significant number of potential victims would be drawn. Among the games chosen by the hackers are NBA2K19, Far Cry 5, Grand Theft Auto 5, The Sims 4, Euro Truck Simulator 2 and more. 

Once Crackonosh is initiated, it would replace essential Windows services. The threat also is equipped with anti-detection routines and is capable of deleting anti-malware solutions from the breached system. The combination of functionalities available to Crackonosh allows the threat to remain unseen for prolonged periods maximizing the profits of the hackers.

To get rid of a select number of anti-malware products, Crackonosh abuses the Windows Safe mode environment. In safe mode, anti-virus software is not able to run. The threat then activates the threatening Serviceinstaller.exe to disable and delete Windows Defender. In addition, by deleting specific registry entries, Crackonosh manages to stop Windows Defender and disable the automatic Windows Update process on the system. To mask the missing Defender, it installs a file named MSASCuiL.exe. The only function of this executable is to put a Windows Security icon on the system tray. 

Cryptojacking is a relatively new malware subset that appears alongside the meteoric rise in popularity of numerous cryptocurrencies that took place in the past several years. Instead of buying and building their own mining rigs, cybercriminals moved and created malware threats capable of siphoning the hardware resources of the victim's system swiftly and forced them to mine for a specific cryptocurrency in the background silently. Users should stay alert and inspect any suspicious activity on their computers.