Crackonosh malware abuses Windows Safe mode to quietly mine for cryptocurrency

The malware is thought to have generated millions of dollars in just a few short years.

Researchers have discovered a strain of cryptocurrency-mining malware that abuses Windows Safe mode during attacks. 

The malware, dubbed Crackonosh by researchers at Avast, spreads through pirated and cracked software, often found through torrents, forums, and "warez" websites. 

After finding reports on Reddit of Avast antivirus users querying the sudden loss of the antivirus software from their system files, the team conducted an investigation into the situation, realizing it was due to a malware infection. 

Crackonosh has been in circulation since at least June 2018. Once a victim executes a file they believe to be a cracked version of legitimate software, the malware is also deployed. 

The infection chain begins with the drop of an installer and a script that modifies the Windows registry to allow the main malware executable to run in Safe mode. The infected system is set to boot in Safe Mode on its next startup. 

"While the Windows system is in safe mode antivirus software doesn't work," the researchers say. "This can enable the malicious Serviceinstaller.exe to easily disable and delete Windows Defender. It also uses WQL to query all antivirus software installed SELECT * FROM AntiVirusProduct."

Crackonosh will scan for the existence of antivirus programs -- including Avast, Kaspersky, McAfee's scanner, Norton, and Bitdefender -- and will attempt to disable or delete them. Log system files are then wiped to cover its tracks. 

In addition, Crackonosh will attempt to stop Windows Update and will replace Windows Security with a fake green tick tray icon. 

The final step of the journey is the deployment of XMRig, a cryptocurrency miner that leverages system power and resources to mine the Monero (XMR) cryptocurrency.

Overall, Avast says that Crackonosh has generated at least $2 million for its operators in Monero at today's prices, with over 9000 XMR coins having been mined. 

Approximately 1,000 devices are being hit each day and over 222,000 machines have been infected worldwide. 

In total, 30 variants of the malware have been identified, with the latest version being released in November 2020. 

"As long as people continue to download cracked software, attacks like these will continue and continue to be profitable for attackers," Avast says. "The key take-away from this is that you really can't get something for nothing and when you try to steal software, odds are someone is trying to steal from you."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0