Crackonosh Malware Exploits Windows Safe Mode to Mine Cryptocurrency Secretly

This article has been indexed from E Hacking News – Latest Hacker News and IT Security News

Researchers have uncovered a variant of cryptocurrency-mining malware that exploits Windows Safe Mode during attacks. 

Researchers at Avast have termed the malware Crackonosh, and it spreads through pirated and cracked software, which may be found through torrents, forums, and “warez” websites. 

Upon seeing reports on Reddit of Avast antivirus users who were concerned about the sudden disappearance of the antivirus program from their system files, the team investigated the matter and discovered it was the result of a malware infection. 

Since at least June 2018, Crackonosh has been in circulation, and when a victim runs a file that they think is a cracked version of genuine software, the virus gets installed as well. The infection chain starts with the distribution of an installer and a script that changes the Windows registry to allow the main malware executable to run in Safe mode. On the subsequent startup, the infected system is set to launch in Safe Mode. 

The researchers stated, “While the Windows system is in safe mode antivirus software doesn’t work. This can enable the malicious Serviceinstaller.exe to easily disable and delete Windows Defender. It also uses WQL to query all antivirus software installed SELECT * FROM AntiVirusProduct.”