Hackers Crack Pirated Games with Cryptojacking Malware

Threat actors have so far made about $2 million from Crackonosh, which secretly mines Monero cryptocurrency from affected devices.

A new Monero cryptojacking malware distributed via “cracked” versions of popular online games is wiping out antivirus programs (AVs) and surreptitiously mining cryptocurrency in more than a dozen countries, researchers have found.

Dubbed “Crackonosh,” the malware — which has been active since June 2018 — lurks in pirated versions of Grand Theft Auto V, NBA 2K19 and Pro Evolution Soccer 2018 that gamers can download free in forums, according to a report posted online Thursday by researchers at Avast. The name means “mountain spirit” in Czech folklore, a reference to the researchers’ belief that the creators of the malware are from the Czech Republic.

Cracked software is a version of commercial software that is often offered for free but often with a catch — the code of the software has been tampered with, typically to insert malware or for some other purpose beneficial to whoever cracked it.

In the case of Crackonosh, the aim is to install the coinminer XMRig to mine Monero cryptocurrency from within the cracked software downloaded to an affected device, according to the report. So far, threat actors have reaped more than $2 million, or 9000 XMR in total, from the campaign, researchers said.

Crackonosh also appears to be spreading fast, affecting 222,000 unique devices in more than a dozen countries since December 2020. As of May, the malware was still getting about 1,000 hits a day, according to the report.

So far, the region most affected is the Philippines, with 18,448 victims; followed by Brazil (16,584); India (13,779); Poland (12,727); the United States (11,856); and the United Kingdom (8,946), researchers said.

Disabling Antivirus

Researchers discovered Crackonosh when people began reporting that their Avast AV programs were disappearing from their systems, they wrote. Indeed, the ability to disable antivirus protections also is a feature of the malware.

“Crackonosh protects itself by disabling security software and updates and uses other anti-analysis techniques,” researchers wrote. “These make it hard to discover, detect and remove.”

Crackonosh can delete the following AV programs using the command rd <AV directory> /s /q where <AV directory> is the default directory name that the specific antivirus product uses: Adaware, Bitdefender, Escan, F-secure, Kaspersky, McAfee (scanner only), Norton and Panda.

Infection Chain

The infection vector of the malware works like this: First someone downloads and installs the cracked software, the installer of which runs maintenance.vbs. That kicks off the installation process using serviceinstaller.msi, which registers and runs the main malware executable, serviceinstaller.exe.

That executable drops another file, StartupCheckLibrary.DLL, which then downloads and runs wksprtcli.dll. This file extracts newer winlogui.exe and drops winscomrssrv.dll and winrmsrv.exe which it contains, decrypts and places in the folder.

Researchers identified 30 different versions of serviceinstaller.exe, dating from Jan. 31, 2018, up to Nov. 23, 2020, researchers said. This main executable of the malware is started from a registry key created by Maintenance.vbs, they wrote.

Researchers backtracked even further to get to the root of how the malware makes it onto an infected device, they explained.

“The only clue to what happened before the Maintenance.vbs creates this registry key and how the files appear on the computer of the victim is the removal of InstallWinSAT task in maintenance.vbs,” they wrote in the report. “Hunting led us to uninstall logs containing everything about unpacking Crackonosh as part of it’s installation with cracked software.”

This discovery demonstrated that the malware was packed in a password-protected archive and unpacked in the process of installation, researchers added.

Disabling Windows Defender

Researchers also went into detail about how the malware deletes Windows Defender and Windows Update by deleting a list of registry entries to stop the former and turn off automatic updates.

“In the place of Windows Defender, it installs its own MSASCuiL.exe which puts the icon of Windows Security to the system tray,” they wrote.

Overall, Crackonosh is a cautionary tale for people who think they are getting something for nothing when they download cracked software, researchers said. It also demonstrates how lucrative a gig cracked software can be for attackers, they noted.

“As long as people continue to download cracked software, attacks like these will continue and continue to be profitable for attackers,” researchers wrote. “The key take-away from this is that … when you try to steal software, odds are someone is trying to steal from you.”

Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free!

Suggested articles