Crackonosh: A New Malware Distributed in Cracked Software

Avast - 

We recently became aware of customer reports advising that Avast antivirus was missing from their systems – like the following example from Reddit.

From Reddit

We looked into this report and others like it and have found a new malware we’re calling “Crackonosh” in part because of some possible indications that the malware author may be Czech. Crackonosh is distributed along with illegal, cracked copies of popular software and searches for and disables many popular antivirus programs as part of its anti-detection and anti-forensics tactics.

In this posting we analyze Crackonosh. We look first at how Crackonosh is installed. In our analysis we found that it drops three key files winrmsrv.exe, winscomrssrv.dll and winlogui.exe which we analyze below. We also include information on the steps it takes to disable Windows Defender and Windows Update as well as anti-detection and anti-forensics actions. We include information on how to remove Crackonosh. Finally, we include indicators of compromise for Crackonosh.

Number of hits since December 2020. In total over 222,000 unique devices. Number of users infected by Crackonosh since December 2020. In May it is still about a thousand hits every day.

The main target of Crackonosh was the installation of the coinminer

Read More: