Crackonosh is a Windows Malware that Mines for Crypto
Security researchers have dug up a new strain of miner malware. This new and nasty bug is called Crackonosh and it force-reboots Windows machines in safe mode to execute and install without any interruptions.
The distribution chain of the malware is not particularly novel or uncommon. It is mainly distributed on websites that offer pirated or cracked software, torrents for illegal downloads and forums that share pirated apps and content.
The curious fact about Crackonosh is that even though it was discovered only recently, researchers believe it has been around for a few years now. The investigation into the malware started after users began to submit reports of their antivirus software suddenly missing from their systems.
The way Crackonosh works is, it deploys once a user installs an infected installer or what they believe to be a cracked version of an application. Once the payload is deployed, it makes changes to the Windows registry entries, allowing the malware to execute even under safe mode. Once this is done, Crackonosh sets the PC to automatically boot in safe mode next time it is restarted, without any user input.
Once the system is rebooted in safe mode, likely to the user's confusion, the malware first disables then deletes both Windows Defender and any other antivirus software found on the system. The malware scans the system's drives for a wide range of popular and widely used antivirus software, then deletes them and wipes system log files clean to make tracing its activity nearly impossible.
After all of this is done, the malware finally installs XMRig - a miner that works with Monero cryptocurrency and takes up significant chunks of the system's resources when active.
According to researchers estimations, the Crackonosh malware has likely made its operators roughly $2 million in Monero coins. The estimated daily infections are around a thousand and the total infected systems estimate is at a worrying 220 thousand.
Of course, similar infections can be entirely avoided by simply staying away from websites that claim to host cracked versions of paid software. Even though over time and with copyright laws tightening all over the world, those occurrences are less common than they were a decade or two ago, the sheer number of people infected with Crackonosh indicates that this is still an issue.