🔒
There are new articles available, click to refresh the page.
Before yesterdayAvast Threat Labs

Crackonosh: A New Malware Distributed in Cracked Software

24 June 2021 at 09:39

We recently became aware of customer reports advising that Avast antivirus was missing from their systems – like the following example from Reddit.

From Reddit

We looked into this report and others like it and have found a new malware we’re calling “Crackonosh” in part because of some possible indications that the malware author may be Czech. Crackonosh is distributed along with illegal, cracked copies of popular software and searches for and disables many popular antivirus programs as part of its anti-detection and anti-forensics tactics.

In this posting we analyze Crackonosh. We look first at how Crackonosh is installed. In our analysis we found that it drops three key files winrmsrv.exe, winscomrssrv.dll and winlogui.exe which we analyze below. We also include information on the steps it takes to disable Windows Defender and Windows Update as well as anti-detection and anti-forensics actions. We include information on how to remove Crackonosh. Finally, we include indicators of compromise for Crackonosh.

Number of hits since December 2020. In total over 222,000 unique devices.
Number of users infected by Crackonosh since December 2020. In May it is still about a thousand hits every day.

The main target of Crackonosh was the installation of the coinminer XMRig, from all the wallets we found, there was one where we were able to find statistics. The pool sites showed payments of 9000 XMR in total, that is with today prices over $2,000,000 USD.

Statistics from xmrpool.eu
Statistics from MoneroHash

Installation of Crackonosh

The diagram below depicts the entire Crackonosh installation process.

Diagram of installation
  1. First, the victim runs the installer for the cracked software.
  2. The installer runs maintenance.vbs
  3. Maintenance.vbs then starts the installation using serviceinstaller.msi
  4. Serviceinstaller.msi registers and runs serviceinstaller.exe, the main malware executable.
  5. Serviceintaller.exe drops StartupCheckLibrary.DLL.
  6. StartupCheckLibrary.DLL downloads and runs wksprtcli.dll.
  7. Wksprtcli.dll extracts newer winlogui.exe and drops winscomrssrv.dll and winrmsrv.exe which it contains, decrypts and places in the folder.

From the original compilation date of Crackonosh we identified 30 different versions of serviceinstaller.exe, the main malware executable, from 31.1.2018 up to 23.11.2020. It is easy to find out that serviceinstaller.exe is started from a registry key created by Maintenance.vbs

The only clue to what happened before the Maintenance.vbs creates this registry key and how the files appear on the computer of the victim is the removal of InstallWinSAT task in maintenance.vbs. Hunting led us to uncover uninstallation logs containing Crackonosh unpacking details when installed with cracked software.

The following strings were found in uninstallation logs:

  • {sys}\7z.exe
  • -ir!*.*? e -pflk45DFTBplsd -y "{app}\base_cfg3.scs" -o{sys}
  • -ir!*.*? e -pflk45DFTBplsd -y "{app}\base_cfg4.scs" -o{localappdata}\Programs\Common
  • /Create /SC ONLOGON /TN "Microsoft\Windows\Maintenance\InstallWinSAT" /TR Maintenance.vbs /RL HIGHEST /F
  • /Create /SC ONLOGON /TN "Microsoft\Windows\Application Experience\StartupCheckLibrary" /TR StartupCheck.vbs /RL HIGHEST /F

This shows us that Crackonosh was packed in a password protected archive and unpacked in the process of installation. Here are infected installers we found:

Name of infected installer SHA256
NBA 2K19 E497EE189E16CAEF7C881C1C311D994AE75695C5087D09051BE59B0F0051A6CF
Grand Theft Auto V 65F39206FE7B706DED5D7A2DB74E900D4FAE539421C3167233139B5B5E125B8A
Far Cry 5 4B01A9C1C7F0AF74AA1DA11F8BB3FC8ECC3719C2C6F4AD820B31108923AC7B71
The Sims 4 Seasons 7F836B445D979870172FA108A47BA953B0C02D2076CAC22A5953EB05A683EDD4
Euro Truck Simulator 2 93A3B50069C463B1158A9BB3A8E3EDF9767E8F412C1140903B9FE674D81E32F0
The Sims 4 9EC3DE9BB9462821B5D034D43A9A5DE0715FF741E0C171ADFD7697134B936FA3
Jurassic World Evolution D8C092DE1BF9B355E9799105B146BAAB8C77C4449EAD2BDC4A5875769BB3FB8A
Fallout 4 GOTY 6A3C8A3CA0376E295A2A9005DFBA0EB55D37D5B7BF8FCF108F4FFF7778F47584
Call of Cthulhu D7A9BF98ACA2913699B234219FF8FDAA0F635E5DD3754B23D03D5C3441D94BFB
Pro Evolution Soccer 2018 8C52E5CC07710BF7F8B51B075D9F25CD2ECE58FD11D2944C6AB9BF62B7FBFA05
We Happy Few C6817D6AFECDB89485887C0EE2B7AC84E4180323284E53994EF70B89C77768E1
Infected installers

The installer Inno Setup executes the following script. If it finds it’s “safe” to run malware, then installs the Crackonosh malware to %SystemRoot%\system32\ and one configuration file to %localappdata%\Programs\Common and creates in the Windows Task scheduler the tasks InstallWinSAT to start maintenance.vbs and StartupCheckLibrary to start StartupcheckLibrary.vbs. Otherwise it does nothing at all.

Reconstructed Crackonosh Inno Setup installer script

Installation script

Analysis of Maintenance.vbs

As noted before, the Crackonosh installer registerers the maintenance.vbs script with the Windows Task Manager and sets it to run on system startup. The Maintenance.vbs creates a counter, that counts system startups until it reaches the 7th or 10th system start, depending on the version. After that the Maintenance.vbs runs serviceinstaller.msi, disables hibernation mode on the infected system and sets the system to boot to safe mode on the next restart. To cover its tracks it also deletes serviceinstaller.msi and maintenance.vbs.

Below is the maintenance.vbs script:

Maintenance.vbs

Serviceinstaller.msi does not manipulate any files on the system, it only modifies the registry to register serviceinstaller.exe, the main malware executable, as a service and allows it to run in safe mode. Below you can see the registry entries serviceinstaller.msi makes.

MSI Viewer screenshot of serviceinstaller.msi

Using Safe Mode to Disable Windows Defender and Antivirus

While the Windows system is in safe mode antivirus software doesn’t work. This can enable the malicious Serviceinstaller.exe to easily disable and delete Windows Defender. It also uses WQL to query all antivirus software installed SELECT * FROM AntiVirusProduct. If it finds any of the following antivirus products it deletes them with rd <AV directory> /s /q command where <AV directory> is the default directory name the specific antivirus product uses. 

  • Adaware
  • Bitdefender
  • Escan
  • F-secure
  • Kaspersky
  • Mcafee (scanner only)
  • Norton
  • Panda

It has names of folders, where they are installed and finally it deletes %PUBLIC%\Desktop\.

Older versions of serviceinstaller.exe used pathToSignedProductExe to obtain the containing folder. This folder was then deleted. This way Crackonosh could delete older versions of Avast or current versions with Self-Defense turned off.

It also drops StartupCheckLibrary.dll and winlogui.exe to %SystemRoot%\system32\ folder.

In older versions of serviceinstaller.exe it drops windfn.exe which is responsible for dropping and executing winlogui.exe. Winlogui.exe contains coinminer XMRig and in newer versions the serviceinstaller drops winlogui and creates the following registry entry:

This connects the infected PC to the mining pool on every start.

Disabling Windows Defender and Windows Update

It deletes following registry entries to stop Windows Defender and turn off automatic updates.

commands executed by serviceinstaller.exe

In the place of Windows Defender it installs its own MSASCuiL.exe which puts the icon of Windows Security to the system tray. 

It has the right icon
Deleted Defender

Searching for Configuration Files 

Looking at winrmsrv.exe (aaf2770f78a3d3ec237ca14e0cb20f4a05273ead04169342ddb989431c537e83) behavior showed something interesting in its API calls. There were over a thousand calls of FindFirstFileExW and FindNextFileExW. We looked at what file it was looking for, unfortunately the author of malware hid the name of the file behind an SHA256 hash as shown below.

In this image, you see the function searching for a file by hash of file name from winrmsrv.exe. Some nodes are grouped for better readability.

This technique was used in other parts of Crackonosh, sometimes with SHA1. 

Here is a list of searched hashes and corresponding names and paths. In the case of UserAccountControlSettingsDevice.dat the search is also done recursively in all subfolders. 

  • in CSIDL_SYSTEM
    • File 7B296FC0-376B-497d-B013-58F4D9633A22-5P-1.B5841A4C-A289-439d-8115-50AB69CD450
      • SHA1: F3764EC8078B4524428A8FC8119946F8E8D99A27
      • SHA256: 86CC68FBF440D4C61EEC18B08E817BB2C0C52B307E673AE3FFB91ED6E129B273
    • File 7B296FC0-376B-497d-B013-58F4D9633A22-5P-1.B5841A4C-A289-439d-8115-50AB69CD450B
      • SHA1: 1063489F4BDD043F72F1BED6FA03086AD1D1DE20
      • SHA256: 1A57A37EB4CD23813A25C131F3C6872ED175ABB6F1525F2FE15CFF4C077D5DF7
  • Searched in CSIDL_Profile and actual location is %localappdata%\Programs\Common
    • File UserAccountControlSettingsDevice.dat
      • SHA1: B53B0887B5FD97E3247D7D88D4369BFC449585C5
      • SHA256: 7BB5328FB53B5CD59046580C3756F736688CD298FE8846169F3C75F3526D3DA5

These files contain configuration information encrypted with xor cipher with the keys in executables. 

After decryption we found names of other parts of malware, some URLs, RSA public keys, communication keys for winrmsrv.exe and commands for XMRig. RSA keys are 8192 and 8912 bits long. These keys are used to verify every file downloaded by Crackonosh (via StartupCheckLibrary.dll, winrmsrv.exe, winscomrssrv.dll).

Here we found the first remark of wksprtcli.dll.

StartupCheckLibrary.dll and Download of wksprtcli.dll

StartupCheckLibrary.dll is the way how the author of Crackonosh can download updates of Crackonosh on infected machines. Startupchecklibrary.dll queries TXT DNS records for domains first[.]universalwebsolutions[.]info and second[.]universalwebsolutions[.]info (or other TLDs like getnewupdatesdownload[.]net and webpublicservices[.]org). There are TXT DNS records like [email protected]@@FEpHw7Hn33. From the first twelve letters it computes the IP address as shown on image. Next five characters are the digits of the port encrypted by adding 16. This gives us a socket, where to download wksprtcli.dll. The last eight characters are the version. Downloaded data is validated against one of the Public keys stored in the config file.

Decryption of IP address, screenshot from Ida

Wksprtcli.dll (exports DllGetClassObjectMain) is updating older versions of Crackonosh. The oldest version of wksprtcli.dll that we found checks only the nonexistence of winlogui.exe. Then it deletes diskdriver.exe (previous coinminer) and autostart registry entry. The newest version has a time frame when it runs. It deletes older versions of winlogui.exe or diskdriver.exe and drops new version of winlogui.exe. It drops new config files and installs winrmsrv.exe and winscomrssrv.dll. It also changed the way of starting winlogui.exe from registry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to a task scheduled on user login.

Tasks created in Windows task scheduler by wksprtcli.dll

In the end it disallows hibernation and Windows Defender. 

Wksprtcli.dll also checks computer time. The reason may be not to overwrite newer versions and to make dynamic analysis harder. It also has written date after which it to stop winlogui task to be able to replace files.

File
(time of compilation)
Timestamp 1
(after this it kills winlogui task, so it can update it)
Timestamp 2
(before this it runs)
5C8B… (2020-11-20) 2019-12-01 2023-12-30
D9EE… (2019-11-24) 2019-12-01 2020-12-06
194A… (2019-11-24) 2019-03-09
FA87… (2019-03-22) Uses winlogui size instead 2019-11-02
C234… (2019-02-24) 2019-03-09 2019-11-02
A2D0… (2018-12-27)
D3DD… (2018-10-13)
Hardcoded timestamps, full file hashes are in IoCs

Analysis of Winrmsrv.exe

Winrmsrv.exe is responsible for P2P connection of infected machines. It exchanges version info and it is able to download newer versions of Crackonosh. We didn’t find any evidence of versions higher than 0 and therefore we don’t know what files are transferred.

Winrmsrv.exe searches for internet connection. If it succeeds it derives three different ports in the following ways.

First, in the config file, there is offset (49863) and range (33575) defined. For every port there is computed SHA-256 from date (days from Unix Epoch time) and 10 B from config file. Every port is then set as offset plus the first word of SHA moduled by range (offset + (2 B of SHA % range)).

First two ports are used for incoming TCP connections. The last one is used to listen to an incoming UDP. 

Obtain ports, screenshot from IDA

Next, winrmsrv.exe starts sending UDP packets containing version and timestamp to random IP addresses to the third port (approximately 10 IP’s per second). Packet is prolonged with random bytes (to random length) and encrypted with a Vigenère cipher. 

UDP packet

Finally, if winrmsrv.exe finds an IP address infected with Crackonosh, it stores the IP, control version and starts updating the older one with the newer one. The update data is signed with the private key. On the next start winrmsrv.exe connects all stored IP’s to check the version before trying new ones. It blocks all IP addresses after the communication. It blocks them for 4 hours unless they didn’t follow the protocol, then the block is permanent (until restart).

We have modified masscan to check this protocol. It showed about 370 infected IP addresses over the internet (IPv4).

A UDP Hello B
Sends UDP Packet from random port to port 3 -> decrypt, check timestamp (in last 15 s) and if the version match ban IP address for next 4 hr
decrypt, check timestampsame version: do nothingB has lower version: TCP send B has higher version: TCP receive <- Sends UDP Crackonosh Hello Packet to port of A
A TCP Send B
Connect to port 2 -> Search if the communication from A is expected (Successful UDP Hello in last 5 seconds with different versions)
send encrypted packet -> decode data, validate, save
A TCP Receive B
Connect to port 1 -> Search if the communication from A is expected (Successful UDP Hello in last 5 seconds with different versions)
decode data, validate, save <- send encrypted packet
Communication diagram
Encryption scheme of the UDP Packet
Encryption scheme of the TCP Packet

It’s notable that here is a mistake in TCP encryption/decryption implementation shown above. Instead of the red arrow there is computed one more SHA256, that should be used in the xor with the initialization vector. But then there is the source of the SHA used instead of the result.

Analysis of winscomrssrv.dll

It is preparation for the next phase. It uses the TXT DNS records the same way as StratupCheckLibrary.dll. It tries to decode txt records on URL’s:

  • fgh[.]roboticseldomfutures[.]info
  • anter[.]roboticseldomfutures[.]info
  • any[.]tshirtcheapbusiness[.]net
  • lef[.]loadtubevideos[.]com
  • levi[.]loadtubevideos[.]com
  • gof[.]planetgoodimages[.]info
  • dus[.]bridgetowncityphotos[.]org
  • ofl[.]bridgetowncityphotos[.]org
  • duo[.]motortestingpublic[.]com
  • asw[.]animegogofilms[.]info
  • wc[.]animegogofilms[.]info
  • enu[.]andromediacenter[.]net
  • dnn[.]duckduckanimesdownload[.]net
  • vfog[.]duckduckanimesdownload[.]net
  • sto[.]genomdevelsites[.]org
  • sc[.]stocktradingservices[.]org
  • ali[.]stocktradingservices[.]org
  • fgo[.]darestopedunno[.]com
  • dvd[.]computerpartservices[.]info
  • efco[.]computerpartservices[.]info
  • plo[.]antropoledia[.]info
  • lp[.]junglewearshirts[.]net
  • um[.]junglewearshirts[.]net
  • fri[.]rainbowobservehome[.]net
  • internal[.]videoservicesxvid[.]com
  • daci[.]videoservicesxvid[.]com
  • dow[.]moonexploringfromhome[.]info
  • net[.]todayaniversarygifts[.]info
  • sego[.]todayaniversarygifts[.]info
  • pol[.]motorcyclesonthehighway[.]com
  • any[.]andycopyprinter[.]net
  • onl[.]andycopyprinter[.]net
  • cvh[.]cheapjewelleryathome[.]info
  • df[.]dvdstoreshopper[.]org
  • efr[.]dvdstoreshopper[.]org
  • Sdf[.]expensivecarshomerepair[.]com

It seems, that these files are not yet in the wild, but we know what the names of files should be 

C:\WINDOWS\System32\wrsrvrcomd0.dll, C:\WINDOWS\System32\winupdtemp_0.dat and C:\WINDOWS\System32\winuptddm0.

Anti-Detection and Anti-Forensics

As noted before, Crackonosh takes specific actions to evade security software and analysis.

Specific actions it takes to evade and disable security software includes:

  • Deleting antivirus software in safe mode
  • Stopping Windows Update
  • Replacing Windows Security with green tick system tray icon
  • Using libraries that don’t use the usual DllMain that is used when running library as the main executable (by rundll32.exe) but instead are started with some other exported functions.
  • Serviceinstaller tests if it is running in Safe mode

To protect against analysis, it takes the following actions to test to determine if it’s running in a VM:

  • Checks registry keys:
    • SOFTWARE\VMware, Inc
    • SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters
    • SOFTWARE\Oracle\VirtualBox Guest Additions
  • Test if computer time is in some reasonable interval e.g. after creation of malware and before 2023 (wksprtcli.dll)

Also, as noted it delays running to better hide itself. We found the specific installers used hard coded dates and times for its delay as shown below.

SHA of installer Installer doesn’t run before
9EC3DE9BB9462821B5D034D43A9A5DE0715FF741E0C171ADFD7697134B936FA3 2018-06-10 13:08:20
8C52E5CC07710BF7F8B51B075D9F25CD2ECE58FD11D2944C6AB9BF62B7FBFA05 2018-06-19 14:06:37
93A3B50069C463B1158A9BB3A8E3EDF9767E8F412C1140903B9FE674D81E32F0 2018-07-04 17:33:20
6A3C8A3CA0376E295A2A9005DFBA0EB55D37D5B7BF8FCF108F4FFF7778F47584 2018-07-10 15:35:57
4B01A9C1C7F0AF74AA1DA11F8BB3FC8ECC3719C2C6F4AD820B31108923AC7B71 2018-07-25 13:56:35
65F39206FE7B706DED5D7A2DB74E900D4FAE539421C3167233139B5B5E125B8A 2018-08-03 15:50:40
C6817D6AFECDB89485887C0EE2B7AC84E4180323284E53994EF70B89C77768E1 2018-08-14 12:36:30
7F836B445D979870172FA108A47BA953B0C02D2076CAC22A5953EB05A683EDD4 2018-09-13 12:29:50
D8C092DE1BF9B355E9799105B146BAAB8C77C4449EAD2BDC4A5875769BB3FB8A 2018-10-01 13:52:22
E497EE189E16CAEF7C881C1C311D994AE75695C5087D09051BE59B0F0051A6CF 2018-10-19 14:15:35
D7A9BF98ACA2913699B234219FF8FDAA0F635E5DD3754B23D03D5C3441D94BFB 2018-11-07 12:47:30
Hardcoded timestamps in installers

We also found a version, Winrmsrv.exe (5B85CEB558BAADED794E4DB8B8279E2AC42405896B143A63F8A334E6C6BBA3FB), that instead decrypts time that is hard-coded in config file (for example in 5AB27EAB926755620C948E7F7A1FDC957C657AEB285F449A4A32EF8B1ADD92AC ) is 2020-02-03. If current system time is lower than the extracted value, winrmsrv.exe doesn’t run.

It also takes specific actions to hide itself from possible power users who use tools that could disclose its presence.

It uses Windows-like names and descriptions such as winlogui.exe which is the Windows Logon GUI Application.

It also checks running processes and compares it to the blocklist below. If it finds process with specified name winrmsrv.exe and winlogui.exe terminate itself and wait until the next start of PC.

  • Blocklist:
    • dumpcap.exe
    • fiddler.exe 
    • frst.exe 
    • frst64.exe 
    • fse2.exe 
    • mbar.exe 
    • messageanalyzer.exe 
    • netmon.exe 
    • networkminer.exe 
    • ollydbg.exe 
    • procdump.exe 
    • procdump64.exe 
    • procexp.exe 
    • procexp64.exe 
    • procmon.exe 
    • procmon64.exe 
    • rawshark.exe 
    • rootkitremover.exe 
    • sdscan.exe 
    • sdwelcome.exe 
    • splunk.exe 
    • splunkd.exe 
    • spyhunter4.exe 
    • taskmgr.exe
    • tshark.exe 
    • windbg.exe 
    • wireshark-gtk.exe 
    • wireshark.exe 
    • x32dbg.exe 
    • x64dbg.exe 
    • X96dbg.exe

Additional files

As well as previously discussed, our research found additional files:

  • Startupcheck.vbs: a one time script to create a Windows Task Scheduler task for StartUpCheckLibrary.dll.
  • Winlogui.dat, wslogon???.dat: temporary files to be moved as new winlogui.exe.
  • Perfdish001.dat: a list of infected IP addresses winrmsrv.exe found.
  • Install.msi and Install.vbs: these are in some versions a step between maintenance.vbs and serviceinstaller.msi, containing commands that are otherwise in maintenance.vbs.

Removal of Crackonosh

Based on our analysis, the following steps are required to fully remove Crackonosh.

Delete the following Scheduled Tasks (Task Schedulers)

  • Microsoft\Windows\Maintenance\InstallWinSAT
  • Microsoft\Windows\Application Experience\StartupCheckLibrary
  • Microsoft\Windows\WDI\SrvHost\
  • Microsoft\Windows\Wininet\Winlogui\
  • Microsoft\Windows\Windows Error Reporting\winrmsrv\

Delete the following files from c:\Windows\system32\

  • 7B296FC0-376B-497d-B013-58F4D9633A22-5P-1.B5841A4C-A289-439d-8115-50AB69CD450
  • 7B296FC0-376B-497d-B013-58F4D9633A22-5P-1.B5841A4C-A289-439d-8115-50AB69CD450B
  • diskdriver.exe
  • maintenance.vbs
  • serviceinstaller.exe
  • serviceinstaller.msi
  • startupcheck.vbs
  • startupchecklibrary.dll
  • windfn.exe
  • winlogui.exe
  • winrmsrv.exe
  • winscomrssrv.dll
  • wksprtcli.dll

Delete the following file from C:\Documents and Settings\All Users\Local Settings\Application Data\Programs\Common (%localappdata%\Programs\Common)

  • UserAccountControlSettingsDevice.dat

Delete the following file from C:\Program Files\Windows Defender\

  • MSASCuiL.exe

Delete the following Windows registry keys (using regedit.exe)

  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender value DisableAntiSpyware
  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection value DisableBehaviorMonitoring
  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection value DisableOnAccessProtection
  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection value DisableScanOnRealtimeEnable
  • HKLM\SOFTWARE\Microsoft\Security Center value AntiVirusDisableNotify
  • HKLM\SOFTWARE\Microsoft\Security Center value FirewallDisableNotify
  • HKLM\SOFTWARE\Microsoft\Security Center value UpdatesDisableNotify
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer value HideSCAHealth
  • HKLM\SOFTWARE\Microsoft\Windows Defender\Reporting value DisableEnhancedNotifications
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value winlogui

Restore the following default Windows services (Note: depends on your OS version – see https://www.tenforums.com/tutorials/57567-restore-default-services-windows-10-a.html)

  • wuauserv
  • SecurityHealthService
  • WinDefend
  • Sense
  • MsMpSvc

Reinstall Windows Defender and any third-party security software, if any was installed.

Error messages

On infected machines, sometimes the following error messages about the file Maintenance.vbs can appear.

Type Mismatch: ‘CInt’, Code: 800A000D
Can not find script file

Both of these are bugs in the Crackonosh installation.

Although there are some guides on the internet on how to resolve these errors, instead we recommend following the steps in the previous chapter to be sure you fully remove all traces of Crackonosh.

Conclusion

Crackonosh installs itself by replacing critical Windows system files and abusing the Windows Safe mode to impair system defenses.

This malware further protects itself by disabling security software, operating system updates and employs other anti-analysis techniques to prevent discovery, making it very difficult to detect and remove.

In summary, Crackonosh shows the risks in downloading cracked software and demonstrates that it is highly profitable for attackers. Crackonosh has been circulating since at least June 2018 and has yielded over $2,000,000 USD for its authors in Monero from over 222,000 infected systems worldwide.

As long as people continue to download cracked software, attacks like these will continue to be profitable for attackers. The key take-away from this is that you really can’t get something for nothing and when you try to steal software, odds are someone is trying to steal from you.

Indicators of Compromise (IoCs)

Public keys

—–BEGIN PUBLIC KEY—–
MIIEIjANBgkqhkiG9w0BAQEFAAOCBA8AMIIECgKCBAEA0m9mblXlLhgH/d5WgDw0
2nzOynQvKdkobluX5zFK6ewVkX+3W6Vv2v4CqJ473ti9798Jt9jkDpfEL1yMUDfp
Lp1p4XGVSrTrD16J0Guxx0yzIjyReAzJ8Kazej1z/XGGOtAMZCoLI+TrE4me3SjL
+EXk3pXqyupAgKFiNrlXRj7hbb5vXkeB0MpbV3yJ0ha1OJdAIAwGzQTUsvDWDw00
4sxLfso6CLzR1CKJEH2wT6RVfalnGg6IBwb/fvGewGYECAfnPtEt8TwvzuLsw6NY
BD+tDNcFQk0ZRIAZ+zO5mY4cuWTTBZbAjEFFo5UX4ognHDElltgh+76rXDvtXmeZ
ivDOgJSBXr2+TkQ9dMfYMYLxKHoe8WRBYlI6Wkl59+HQQdQFgSGK6tFtY0T3TVwR
ZxQE1LYwe+0lF1Cop8U/jqRotudKcS+Hyiu0yoSv34C3QwW4ELQktCX5313gcNF/
RA98knE1tl9F3Pl6vnvm1ILb6cxihYy5F0rdLteRNezrjcXOKGA9BV4QTebxH/mi
mm6z4BtTBPNKvrtqo25qx5Oa0fOnVvHAaVtXNjzCNapZwucHH/V8jJzIwcv2ZUP4
Hx9Hkpm5u/3payfDPkWHFwxh3qfDDr2jzgwDjRSOgO1GHGuL1HoIxSgxWFOf6F2z
caOwDrcycDbWiIMeZedJQI1XTrCPoFL4YoyPY2at9tAYW+6Z3gvnvbhen803N2/k
0TWEUU1hUfhOn45IC5r3pCC8Ouy7FIblz1wGm8Qfa8uSD3hxPhaev1G2JJpN4ZVN
UEfeVH6rVcsbQmKoB0xgmcn5Qnq4WoRGtTd1Z4bbC2Zl2q4jqDAutxWdtmEahmcN
OZoTpAjfN96eQReDYLHYkY9SmdjmclnXGo6SP2VHdlm+Xf5DU7E+0c1WNNb2fGN8
+XY29XLuesCppPyeCejMEgIIfIm6A0ltRtwdRHzqgLaY3o6Q6KTvMCQY2zEwKvx8
h1u5CLNpJ0yajbvaO41g4uKBtAPL+N9knsfnIqwG1r7emocrUbj3Nou9mPvtTVHr
r6ZRCmXbdhXTFL6ztLEGYt4wYwvJfKXlgk+3LFECffw0LpjUXEJVtzb//eI4rEyq
J99exvMzQJ5ELLwpRT/Ehq4D7ngc5V/LGQvGNG5MUnzjDF5Ja5W56HcYRVCj8+CV
jHzOUMx1Ojzeb9L87dS+neATWLr+26kMBALr7lEi37483oLQcD5W4bKspQmMdOJb
ED8MEVTd1V6/lTfcBRiHmEdHazV6OnxZsriXQ6MQtnS5WYKjaCwnv2QfUAtfspeO
tGeIalZIdY/MpABHnmhOQZc5rRXrsEU028zmD52OXTXVfnklhhZjHm9QOX6D4fM3
kQIDAQAB
—–END PUBLIC KEY—–
—–BEGIN PUBLIC KEY—–
MIIEfDANBgkqhkiG9w0BAQEFAAOCBGkAMIIEZAKCBFsAuwkH5cn5zS75ZQpdViD/
L5gUpjnJXJL1rWB0toEICF58mkjpR8DGR+Nl3IXgyjSdKprFUU7pVhO5kmlgiId/
VqbBQZdwKaLxi4oeg4zzVQ7ACwanU1eYqOCNoAsrdcuWkytnPUcLRC3VtE5POp1n
skiPiKNt4aWvzXw61+o+ROEQhKcsYaB3Xu34X1HPxI1HSFhPLxuj20Gfiu3Aol3r
mGdxLWa/sVbkYzyinocrVRl09+Tys0JYq1hc+q6ZR3fN1wOqOQm7dlksmPLDAhIi
9AFyKPrdiLc30kpMP3dpZT/IilkRebcrlufiDgXpAij2t6zzHC5cjn4eCOV80kzJ
qgw8oMAww0K2jvhwTWlRkvvAWtkbHUL9VRX69NFAJOuAPsHNv7ScWiy4EW4KxlFd
zR0B6hzsOc/bo0ns5ffrtOFPao1yW7h4BqE8AYpENwKmygQCh+e211Gd0ABD4131
nNYuZokyYXLLEuzwEjzJlw0bKbwn6suVPA8WAa53iy43/5LWQFfWB3AK8qolJ6ck
vyNLJiMtMa1Q+K3pcRndfQpLMsI19ZZyz67Rh0T+QqDt2XQ5gT4gnmPlc2wB3Y7X
2XoZHQZ8FRgYxhS2Szurmn/70NeZEq6p4Zr+yj0FqEjNvR1ooUz5pwJ6iJSmXRtN
ifaBHKhmc4l5ZIUOUkhtsQ1bmsII092gtLPrLkU7hC1hG9vSzUEh6myLs/pqIKTj
x+s+tHqF34XuvNMJOAcv7dXIiQ0QqfG1bFFP6WItwNyeRRGVIkik6GZuAe3lXV5d
bcKr+ID6pZBeI+yN6y+ugX900WZHKZCfSWvAEQDDZW7TCe0sBQpq083B1GVQOg9t
3MM43PqdYrVgH0fRYa6YJ0SrvhFEIjaevszmOYo+eE5P3GHuL4ty45LrkE91qTWk
fYexEQ0QhCsmBFCu+oX/EI6NpAm636zoc9qPZScZBgIAStYCJJt6pIzDr3tq0BFR
oA3CklsFrKloDgx3rBZgNJk4lpWd9kihNRq7EzI8Y/YbAA0SlgkfXj6/4s0B0ODi
2xirUJzhzQnJuvXFdirwoRpHglMtIOhmfy0fMnvorDbmxGyMVM4n44nGLLrqaZj1
+8QWi9PixPNWgznPBeQaT7q78IPooWn9H/efJ2Rb602iW8H9NSbp/Mt2+Qa4O2Cg
ATymvrRG6oyCgNF5L1fUpGQNQpD3PzSyrTdyjEIabjPpPD+doXPq3y+sEYvWVwDc
96SwVSB7oZ3Bj4/tW7IJ4FhPzXcrBl0RsdURHHhJsHPHSQH6QRtebKcc+3TemhN5
CcXjHmETcB0a0FJ6DXNm4iQZx+t/q8F0ZYnBGhR7aAYu5wl5ofJxGFTQkc5KisYh
B6XogfPM7GT5Zw2B7omiXiGHKALXerzQP831+gL8Zso6ZIWGM3F+PJqQarfn0wnT
xQ264rjtnSKnSkfaDRGxpBYyMDF3CxMPHYsmv7K5lF4be5ASK64VexloUQIDAQAB
—–END PUBLIC KEY—–

The post Crackonosh: A New Malware Distributed in Cracked Software appeared first on Avast Threat Labs.

  • There are no more articles
❌