Researchers at Avast discovered a strain of malware that quietly turns video game pirates’ PCs into cryptomining machines. Called Crackonosh, the malware often goes unnoticed by its victims, as it forces PCs into Windows Safe Mode and deletes antivirus software.
Cryptomining malware utilizes a computer’s processing power to solve complex puzzles and “mine” digital currency, usually to contribute to a pool of cryptomining devices controlled by a hacker or criminal group. While cryptomining malware won’t break your computer, it will reduce computer performance, wear down components, and waste electricity.
PC gamers are the perfect targets for this flavor of malware, as their PCs often have powerful GPUs that are well suited to mine digital currency. Plus, desktop PCs are popular among gamers, so hackers have a better chance of infecting machines that are left on 24/7.
Avast says that it’s identified 30 variations on the malware, with the oldest versions originating in 2018. All versions of Crackonosh follow the same basic process, though.
First, a victim downloads cracked software (usually a game) through a torrenting platform, forum, or file distribution website (Google Drive is a popular option). When the victim tries to install this software, it triggers ‘serviceinstaller.exe,’ the main malware executable.
The malware then edits the Windows registry, giving itself permission to run in Safe Mode and forcing the victim’s PC to enter Safe Mode during its next startup. Because antivirus software doesn’t work in this mode, Crackonosh has the opportunity to uninstall antivirus software from your computer. Interestingly, the malware places a fake Windows Security icon in the victim’s taskbar tray and disables Windows Updates (likely to keep Windows Defender from reinstalling).
Finally, Crackonosh runs the XMRig software, which utilizes your PC to mine Monero digital currency.
Avast says that Crackonosh has generated the equivalent of $2 million in Monero currency by leveraging the power of victim’s computers. Around 1,000 PCs are infected each day, according to Avast’s research, though the actual number could be much higher.
Removing Crackonosh from your PC is a hands-on task. If you suspect that your PC is infected, you can follow the removal steps on Avast’s website (under the “Removal of Crackonosh” subhead).
