“Crackonosh” malware is being hidden in free versions of games like NBA 2K19, Grand Theft Auto V, Far Cry 5, The Sims 4 and Jurassic World Evolution, which are available to download on torrent sites, Avast said on Thursday.
Crackonosh is distributed along with illegal, cracked copies of popular software and searches for and disables many popular antivirus programs as part of its anti-detection and anti-forensics tactics.
The main target of Crackonosh was the installation of the coinminer XMRig.
Crackonosh installs itself by replacing critical Windows system files and abusing the Windows Safe mode to impair system defenses.This malware further protects itself by disabling security software, operating system updates and employs other anti-analysis techniques to prevent discovery, making it very difficult to detect and remove.
In summary, Crackonosh shows the risks in downloading cracked software and demonstrates that it is highly profitable for attackers.
-AVAST
- First, the victim runs the installer for the cracked software.
- The installer runs
maintenance.vbs Maintenance.vbsthen starts the installation usingserviceinstaller.msiServiceinstaller.msiregisters and runsserviceinstaller.exe, the main malware executable.Serviceintaller.exedropsStartupCheckLibrary.DLL.StartupCheckLibrary.DLLdownloads and runswksprtcli.dll.Wksprtcli.dllextracts newerwinlogui.exeand dropswinscomrssrv.dllandwinrmsrv.exewhich it contains, decrypts and places in the folder.
| Name of infected installer | SHA256 |
| NBA 2K19 | E497EE189E16CAEF7C881C1C311D994AE75695C5087D09051BE59B0F0051A6CF |
| Grand Theft Auto V | 65F39206FE7B706DED5D7A2DB74E900D4FAE539421C3167233139B5B5E125B8A |
| Far Cry 5 | 4B01A9C1C7F0AF74AA1DA11F8BB3FC8ECC3719C2C6F4AD820B31108923AC7B71 |
| The Sims 4 Seasons | 7F836B445D979870172FA108A47BA953B0C02D2076CAC22A5953EB05A683EDD4 |
| Euro Truck Simulator 2 | 93A3B50069C463B1158A9BB3A8E3EDF9767E8F412C1140903B9FE674D81E32F0 |
| The Sims 4 | 9EC3DE9BB9462821B5D034D43A9A5DE0715FF741E0C171ADFD7697134B936FA3 |
| Jurassic World Evolution | D8C092DE1BF9B355E9799105B146BAAB8C77C4449EAD2BDC4A5875769BB3FB8A |
| Fallout 4 GOTY | 6A3C8A3CA0376E295A2A9005DFBA0EB55D37D5B7BF8FCF108F4FFF7778F47584 |
| Call of Cthulhu | D7A9BF98ACA2913699B234219FF8FDAA0F635E5DD3754B23D03D5C3441D94BFB |
| Pro Evolution Soccer 2018 | 8C52E5CC07710BF7F8B51B075D9F25CD2ECE58FD11D2944C6AB9BF62B7FBFA05 |
| We Happy Few | C6817D6AFECDB89485887C0EE2B7AC84E4180323284E53994EF70B89C77768E1 |
Removal of Crackonosh
The following steps are required to fully remove Crackonosh.
Delete the following Scheduled Tasks (Task Schedulers)
Microsoft\Windows\Maintenance\InstallWinSAT
Microsoft\Windows\Application Experience\StartupCheckLibrary
Microsoft\Windows\WDI\SrvHost\
Microsoft\Windows\Wininet\Winlogui\
Microsoft\Windows\Windows Error Reporting\winrmsrv\
Delete the following files from c:\Windows\system32\
7B296FC0-376B-497d-B013-58F4D9633A22-5P-1.B5841A4C-A289-439d-8115-50AB69CD450
7B296FC0-376B-497d-B013-58F4D9633A22-5P-1.B5841A4C-A289-439d-8115-50AB69CD450B
diskdriver.exe
maintenance.vbs
serviceinstaller.exe
serviceinstaller.msi
startupcheck.vbs
startupchecklibrary.dll
windfn.exe
winlogui.exe
winrmsrv.exe
winscomrssrv.dll
wksprtcli.dll
Delete the following file from C:\Documents and Settings\All Users\Local Settings\Application Data\Programs\Common (%localappdata%\Programs\Common)
UserAccountControlSettingsDevice.dat
Delete the following file from C:\Program Files\Windows Defender\
MSASCuiL.exe
Delete the following Windows registry keys (using regedit.exe)
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender value DisableAntiSpyware
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection value DisableBehaviorMonitoring
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection value DisableOnAccessProtection
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection value DisableScanOnRealtimeEnable
HKLM\SOFTWARE\Microsoft\Security Center value AntiVirusDisableNotify
HKLM\SOFTWARE\Microsoft\Security Center value FirewallDisableNotify
HKLM\SOFTWARE\Microsoft\Security Center value UpdatesDisableNotify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer value HideSCAHealth
HKLM\SOFTWARE\Microsoft\Windows Defender\Reporting value DisableEnhancedNotifications
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value winlogui
Restore the following default Windows services (Note: depends on your OS version – see https://www.tenforums.com/tutorials/57567-restore-default-services-windows-10-a.html)
wuauserv
SecurityHealthService
WinDefend
Sense
MsMpSvc
Reinstall Windows Defender and any third-party security software, if any was installed.
Error messages
On infected machines, sometimes the following error messages about the file Maintenance.vbs can appear.
Type Mismatch: ‘CInt’, Code: 800A000D
Can not find script file
Both of these are bugs in the Crackonosh installation.
Source: https://decoded.avast.io/danielbenes/crackonosh-a-new-malware-distributed-in-cracked-software/