We recently became aware of customer reports advising that Avast antivirus was missing from their systems – like the following example from Reddit.
We looked into this report and others like it and have found a new malware we’re calling “Crackonosh” in part because of some possible indications that the malware author may be Czech. Crackonosh is distributed along with illegal, cracked copies of popular software and searches for and disables many popular antivirus programs as part of its anti-detection and anti-forensics tactics.
In this posting we analyze Crackonosh. We look first at how Crackonosh is installed. In our analysis we found that it drops three key files winrmsrv.exe, winscomrssrv.dll and winlogui.exe which we analyze below. We also include information on the steps it takes to disable Windows Defender and Windows Update as well as anti-detection and anti-forensics actions. We include information on how to remove Crackonosh. Finally, we include indicators of compromise for Crackonosh.
The main target of Crackonosh was the installation of the coinminer
Read More: https://decoded.avast.io/danielbenes/crackonosh-a-new-malware-distributed-in-cracked-software/?utm_source=rss&utm_medium=rss&utm_campaign=crackonosh-a-new-malware-distributed-in-cracked-software