Cryptocurrency Fraud , Cybercrime , Fraud Management & Cybercrime

Malware Opens the Door to XMRig Cryptominer

'Crackonosh' Disables Antivirus Programs
Malware Opens the Door to XMRig Cryptominer
Among the first indicators that a new malware variant was in the wild were notes like this on Reddit. (Source: Avast)

Cyberattackers are using malware dubbed "Crackonosh" to disable many antivirus programs, paving the way for installation of the XMRig cryptominer, according to Avast. So far, this approach has generated more than $2 million in monero for the attackers over the last seven months, the security firm says.

See Also: Check Kiting In The Digital Age

"Crackonosh is distributed along with illegal, cracked copies of popular software and searches for and disables many popular antivirus programs as part of its anti-detection and anti-forensics tactics," Avast reports.

Avast listed 12 cracked games with which the malware is associated. Those include the popular NBA 2K19, Grand Theft Auto V and The Sims 4 Seasons.

The first instances of Crackonosh were spotted in December 2020, but Avast believes the malware is several years older.

The number of users infected by Crackonosh since December 2020 (Source: Avast)

"From all the wallets we found, there was one where we were able to find statistics. The pool sites showed payments of 9,000 XMR in total, that is with today prices over $2,000,000," Avast reports.

Crackonosh Details

Avast's researchers found Crackonosh gains entry when a device's operator downloads a game or other software from an illegal or "gray area" website. It then drops three files - winrmsrv.exe, winscomrssrv.dll and winlogui.exe. - onto a targeted device.

The installer for the malicious download runs maintenance.vbs, which, in turn, runs serviceinstaller.msi, which runs the main malware package, servicseinstaller[.]exe.

"From the original compilation date of Crackonosh, we identified 30 different versions of serviceinstaller.exe, the main malware executable, from 31.1.2018 up to 23.11.2020. It is easy to find out that serviceinstaller.exe is started from a registry key created by maintenance.vbs," the report states.

If the malware decides the targeted device is "safe" to operate on it then installs the Crackonosh malware to %SystemRoot%system32 and one configuration file to %localappdata%ProgramsCommon and creates in the Windows Task scheduler the tasks InstallWinSAT to start maintenance.vbs and StartupCheckLibrary to start StartupcheckLibrary.vbs.

At the same time, Crackonosh stops Windows Update and replaces Window Security with a fake green tick tray icon, which falsely indicates to the user that the system is protected.


After the malware is installed, it waits for the computer owner to restart the system between seven and 10 times. Then the malware begins to make changes.

Its first move is to disable the computer's hibernation system, so the malware runs constantly. To cover its tracks, it also deletes serviceinstaller.msi and maintenance.vbs and - the important part - sets the system to boot to safe mode on the next restart.

"While the Windows system is in safe mode, antivirus software doesn't work. This can enable the malicious serviceinstaller.exe to easily disable and delete Windows Defender. It also uses WQL (Windows Management Instrumentation Query Language) to query all antivirus software installed," and if found, deletes the folders, Avast says. At this stage, XMRig is dropped, and it begins operations on every computer start.

Deleting Crackonosh

In the report, Avast describes the files and scheduled tasks that need to be found and removed to delete the malware.

The researchers note that in some cases, a victim will see an error message caused by the malware, which indicates the system is infected.

One of the tell-tale error warnings that indicate a device is infected with Crackonosh (Source: Avast)

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.