Security researchers just reported the discovery of a new malware they called Crackonosh. The malware was uncovered by Avast researchers after they received reports from reddit users saying that their AV programs were missing from their systems.
Crackonosh Malware in Detail
Avast looked into the reports and found the so-called Crackonosh malware, which uses illegal, cracked copies of popular software to propagate. The malware disables AV programs as part of its anti-detection and anti-forensics techniques, the researchers said.
Apparently, the malicious threat drops three key files identified as winrmsrv.exe, winscomrssrv.dll, and winlogui.exe. In addition to disabling AV programs, the malware also disables Windows Defender and Windows Update as part of its anti-detection capabilities.
In terms of its installation, the malware follows these steps:
1.First, the victim runs the installer for the cracked software.
2.The installer runs maintenance.vbs
3.Maintenance.vbs then starts the installation using serviceinstaller.msi
4.Serviceinstaller.msi registers and runs serviceinstaller.exe, the main malware executable.
5.Serviceintaller.exe drops StartupCheckLibrary.DLL.
6.StartupCheckLibrary.DLL downloads and runs wksprtcli.dll.
7.Wksprtcli.dll extracts newer winlogui.exe and drops winscomrssrv.dll and winrmsrv.exe which it contains, decrypts and places in the folder.
What is the purpose of Crackonosh? The end goal of its malicious operation is installing the XMRing cryptocurrency miner. The researchers were able to uncover one wallet which contained statistics, revealing payments of 9000 XMR in total. With today prices, the sum equals to more than $2,000,000 USD.
In a nutshell, Crackonosh is capable of replacing Critical Windows system files and exploiting Windows Safe Mode to damage the system’s defence mechanisms. To further protect itself, it disables security software, system updates, and uses various anti-analysis tricks to prevent detection. All these approaches make Crackonosh very hard to detect and remove.
The Ever-Existing Danger of Cracked Software
This operation is yet another example of how dangerous it is to download cracked and pirated software. “Crackonosh has been circulating since at least June 2018 and has yielded over $2,000,000 USD for its authors in Monero from over 222,000 infected systems worldwide,” Avast pointed out.
“The key take-away from this is that you really can’t get something for nothing and when you try to steal software, odds are someone is trying to steal from you,” the researchers concluded.
Earlier this year, we reported about a malicious campaign involving cracked copies of Microsoft Office and Adobe Photoshop. The copies harvested browser session cookies and Monero cryptocurrency wallets.