Table of Contents
On Thursday, the researchers at Avast published a report detailing the discovery of cryptocurrency mining malware targeting Windows Safe mode and generating over 9,000 Monero coins (evaluated at around $2 million today) through the compromise of more than 222,000 Windows systems.
Malware is spreading swiftly
Over two million unique devices in over a dozen countries have been infected by the malware since December 2020. There were 1,000 hits every day on the malware as of May. The researchers have already discovered 30 variants of the malware, the most recent one of which was published in November 2020.
Avast security researcher Daniel Bene*, who tracks malware, has reported that the Philippines had 18,448 victims; Brazil (16,584); India (13,779); Poland (12,727); the United States (11,856); and the United Kingdom (8,946).
Crackonosh operating surreptitiously
In response to reports that Crackonosh was removing its antivirus from infected machines, the researchers started investigating the threat. Further investigation found Crackonosh was also disabling popular antivirus vendors, including Windows Defender and Windows Update, for the same reason that it was concealing its location, which was intended to allow the malware to remain undetected on infected systems.
Crackonosh will mine Monero using the infected computer’s hardware after it weakens infected hosts using XMRig, a cryptocurrency miner. More than 100,000 systems were infected by another crypto-miner called DirtyMoe earlier this month. The main difference between DirtyMoe and Blackhole was that it was essentially propagated by an SMB worm and that its developer appeared to be from China rather than Europe.
“As long as people continue to download cracked software, attacks like these will continue and continue to be profitable for attackers. The key take-away from this is that you really can’t get something for nothing and when you try to steal software, odds are someone is trying to steal from you.”