Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label windows safe mode. Show all posts

This Malware Generated $2 Million After Abusing 222,000 Windows Systems

 

Avast researchers published a report on Thursday regarding the discovery of a cryptocurrency mining malware that abuses Windows Safe mode and has likely generated more than 9,000 Monero coins (estimated today at around $2 million) after exploiting more than 222,000 Windows systems since 2018.

The latest version of Crackonosh, as Avast dubbed it, spreads through illegal and cracked copies of popular software also known as “warez” which is distributed on various torrent sites and forums.

The malware continues to infect systems worldwide, affecting 222,000 unique devices in more than a dozen countries since December 2020. As of May, the malware was still getting about 1,000 hits a day. The researchers already spotted 30 different versions of the malware, with the latest one that was published in November 2020. 

According to Daniel Beneš, a malware analyst for antivirus maker Avast, the worst-hit region is the Philippines, with 18,448 victims; followed by Brazil (16,584); India (13,779); Poland (12,727); the United States (11,856); and the United Kingdom (8,946).

The researchers started investigating the threat after they received reports that Crackonosh was disabling and uninstalling its antivirus from infected devices. The company later discovered that Crackonosh was also disabling many other popular antivirus vendors, including Windows Defender and Windows Update as part of an advanced set of anti-detection and anti-forensics tactics that were meant to allow the malware to remain undetected on infected hosts.

Once Crackonosh weakened infected hosts, it will run XMRig, a cryptocurrency miner that enables attackers to mine Monero using the victim’s hardware download, to earn a profit from infected computers. Earlier this month, the company identified another crypto-miner named DirtyMoe which infected more than 100,000 systems. The difference between the two was that DirtyMoe was primarily being spread using an SMB worm and that its developer appears to be based in China rather than Europe.

“As long as people continue to download cracked software, attacks like these will continue and continue to be profitable for attackers. The key take-away from this is that you really can’t get something for nothing and when you try to steal software, odds are someone is trying to steal from you,” Beneš said.

Crackonosh Malware Exploits Windows Safe Mode to Mine Cryptocurrency Secretly

 

Researchers have uncovered a variant of cryptocurrency-mining malware that exploits Windows Safe Mode during attacks. 

Researchers at Avast have termed the malware Crackonosh, and it spreads through pirated and cracked software, which may be found through torrents, forums, and "warez" websites. 

Upon seeing reports on Reddit of Avast antivirus users who were concerned about the sudden disappearance of the antivirus program from their system files, the team investigated the matter and discovered it was the result of a malware infection. 

Since at least June 2018, Crackonosh has been in circulation, and when a victim runs a file that they think is a cracked version of genuine software, the virus gets installed as well. The infection chain starts with the distribution of an installer and a script that changes the Windows registry to allow the main malware executable to run in Safe mode. On the subsequent startup, the infected system is set to launch in Safe Mode. 

The researchers stated, "While the Windows system is in safe mode antivirus software doesn't work. This can enable the malicious Serviceinstaller.exe to easily disable and delete Windows Defender. It also uses WQL to query all antivirus software installed SELECT * FROM AntiVirusProduct." 

Crackonosh scans for antivirus software, such as Avast, Kaspersky, McAfee's scanner, Norton, and Bitdefender, and attempt to disable or destroy them. The log system files are then deleted to erase the evidence. Crackonosh also tries to disable Windows Update and replace Windows Security with a phoney green tick tray icon. 

The deployment of XMRig, a cryptocurrency miner that leverages system power and resources to mine the Monero (XMR) cryptocurrency, is the last step in the journey. 

According to Avast, Crackonosh has generated at least $2 million in Monero for its operators at today's pricing, with over 9000 XMR coins mined. Around 1,000 devices are infected each day and over 222,000 machines affected worldwide. There are 30 different variations of the malware, with the most recent one being released in November 2020. 

Avast stated, "As long as people continue to download cracked software, attacks like these will continue and continue to be profitable for attackers. The key take-away from this is that you really can't get something for nothing and when you try to steal software, odds are someone is trying to steal from you."