Security News > 2021 > June > Crackonosh virus mined $2 million of Monero from 222,000 hacked computers
A previously undocumented Windows malware has infected over 222,000 systems worldwide since at least June 2018, yielding its developer no less than 9,000 Moneros in illegal profits.
Dubbed "Crackonosh," the malware is distributed via illegal, cracked copies of popular software, only to disable antivirus programs installed in the machine and install a coin miner package called XMRig for stealthily exploiting the infected host's resources to mine Monero.
Crackonosh works by replacing critical Windows system files such as "Serviceinstaller.msi" and "Maintenance.vbs" to cover its tracks and abuses the safe mode, which prevents antivirus software from working, to delete Windows Defender and turn off automatic updates.
As part of its anti-detection and anti-forensics tactics, the malware also installs its own version of "MSASCuiL.exe", which puts the icon of Windows Security with a green tick to the system tray and runs tests to determine if it's running in a virtual machine.
"Crackonosh shows the risks in downloading cracked software," Avast security researcher Daniel Beneš said.
"As long as people continue to download cracked software, attacks like these will continue and continue to be profitable for attackers. The key take-away from this is that you really can't get something for nothing and when you try to steal software, odds are someone is trying to steal from you."