A strain of cryptocurrency-mining malware was discovered that abuses Windows Safe mode during attacks.
The researchers at Avast have dubbed the malware Crackonosh which spreads through pirated and cracked software and is often found through torrents, forums, and “warez” websites.
Crackonosh has been in circulation since at least June 2018. The malware gets deployed when a victim executes a file that is believed to be a cracked version of legitimate software.
The infection chain begins with the drop of an installer and a script that modifies the Windows registry to allow the main malware executable to run in Safe mode. The infected system is set to boot in Safe Mode on its next startup.
The researchers said that while the Windows system is in safe mode, the antivirus software doesn’t work. This enables the malicious Serviceinstaller.exe to easily disable and delete Windows Defender. It also uses WQL to query all antivirus software installed SELECT * FROM AntiVirusProduct.
Crackonosh will check for the existence of antivirus programs such as Avast, Kaspersky, McAfee’s scanner, Norton, and Bitdefender — and will try to disable or delete them. Log system files are then wiped to cover its tracks.
Crackonosh will also try to stop Windows Update and will replace Windows Security with a fake green tick tray icon.
Finally, an XMRig which is a cryptocurrency miner that leverages system power and resources to mine the Monero (XMR) cryptocurrency is deployed.
In total Crackonosh has generated at least $2 million in Monero, with over 9000 XMR coins having been mined.
Around 1,000 devices are being hit each day and over 222,000 machines have been infected worldwide.
So far, 30 variants of the malware have been identified, with the latest version being released in November 2020.
Avast stated that as long as people download cracked software, attacks like these will continue that would be profitable for attackers.