Malware author made $2 million after infecting 222,000 Windows systems
The operator of a malware strain known as Crackonosh has made more than 9,000 Monero coins (estimated today at around $2 million) after infecting more than 222,000 Windows computers since 2018.
It has done so by hiding its malware in pirated and cracked copies of popular software, Daniel Beneš, a malware analyst for antivirus maker Avast, said in a report today.
Beneš said Avast began studying the malware after it received reports that Crackonosh was disabling and uninstalling its antivirus from infected hosts.
The company later found that Crackonosh was also disabling many other popular antivirus programs as part of an advanced set of anti-detection and anti-forensics tactics that were meant to allow the malware to remain undetected on infected hosts.
This also included disabling Windows Defender and Windows Update, Beneš said.
Once Crackonosh weakened infected hosts, it would download and run a software package named XMRig that allowed the malware's author, believed to be operating out of the Czech Republic, to earn a profit from infected computers.
Avast said its products had detected more than 222,000 unique devices that have been infected with the Crackonosh malware, with the most victims residing in the US, Brazil, India, Poland, and the Philippines.
Avast's report on the Crackonosh malware comes days after the company also discovered that another crypto-miner named DirtyMoe had infected more than 100,000 systems.
The difference between the two was that DirtyMoe was primarily being spread using an SMB worm and that its creator appears to be based in China rather than the EU.
Avast's report on Crackonosh also includes removal instructions, something that most security firms rarely bother sharing in their technical write-ups.
"As long as people continue to download cracked software, attacks like these will continue and continue to be profitable for attackers. The key take-away from this is that you really can't get something for nothing and when you try to steal software, odds are someone is trying to steal from you," Beneš said.
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.