Security researchers have recently detected ‘Crackonosh’ which is a new variant of crypto-mining malware that is exploiting the Windows Safe mode.

Malicious Crackonosh crypto-mining malware:

Cybersecurity researchers at Avast Antivirus were able to track down the new crypto-mining malware, which they dubbed as Crackonosh, and found that it is delivered via pirated and cracked software, which are generally found through torrents, forums, and “warez” websites.

The investigation of Crackonosh was initiated when users of the Avast antivirus reported on Reddit, stating that there was an abrupt disappearance of the antivirus software from their system files and found it a consequence of the malware. 

According to the investigation, Crackonosh has been operating since at least June 2018. More than 1000 devices are being comprised by the malware on a daily basis, with reports of over 222,000 systems having already been infected.

Approximately, 30 variants of the Crackonosh malware have been detected, with the latest version being released in November 2020. 

The infection chain:

The malware is deployed into a target’s system when the cracked software file is initially executed on the system.

An infection chain thus starts by primarily dropping an installer and a script that edits the Windows registry. This modification of the Windows registry conveniently permits the main malware executable to be able to operate in the Windows Safe mode.

Also read,

The infected system is booted in Safe Mode on its following startup. 

“While the Windows system is in safe mode antivirus software doesn’t work,” the researchers say. “This can enable the malicious Serviceinstaller.exe to easily disable and delete Windows Defender. It also uses WQL to query all antivirus software installed SELECT * FROM AntiVirusProduct.”

For all the major antivirus software such as Avast, Kaspersky, McAfee’s scanner, Norton, and Bitdefender, Crackonosh will perform a scan for them to make an attempt at disabling or delete them. Subsequently, the log system files are also deleted to leave no trace.

As for being able to further compromise the Windows systems, Crackonosh will also try to stop the Windows Update and will replace Windows Security with a fake green tick tray icon. 

Lastly, the malware deploys XMRing, which is a cryptocurrency miner that uses the compromised system’s resources and power to mine the Minero (XMR) cryptocurrency.

According to Avast, operators of the malware have been able to generate close to $2 million in Monero at today’s prices, with over 9000 XMR coins having been mined. 

“As long as people continue to download cracked software, attacks like these will continue and continue to be profitable for attackers,” provides Avast. “The key take-away from this is that you really can’t get something for nothing and when you try to steal software, odds are someone is trying to steal from you.”