Cyber Attackers Unleashed Cryptomining Malware 'Crackonosh' Masked as Free Games: How to Avoid Virus-infested Free Games
Hackers are mining for crypto gold at the expense of other's cyber data as they uploaded cracked games that are laced with cryptomining malware.
In a report by BBC, several "uncracked" versions of major video game titles like Grand Theft Auto V, NBA 2K19, and Pro Evolution Soccer 2018 were being given away by said cyber criminals in hacker forums online.
According to the said report, a crypto-mining malware software called Crackonosh was hidden under the programming code of each of these "free" games.
The author of the Crackonosh malware has made around $2 million after infecting 222,000 Windows systems with their crypto-miner (hid inside cracked software)https://t.co/KGvpSPsNGJ pic.twitter.com/VNKZ0IVsSh— Catalin Cimpanu (@campuscodi) June 25, 2021
How does Crackonosh works
In an analysis made by Avast, Crackonosh drops in three essential files in a victim's PC - winrmsrv.exe, wincomrssrv.dll, and winlogio.exe. These files were installed via chain, which starts from said cracked software's installers.
The victim will run said installer, then the installer software will run a file called maintenance.vbs, which will install a serviceinstaller.msi. The said file will be registered in the victim's PC and starts running the main malware itself, serviceinstaller.exe.
From there, the said .exe file will unload every file that will make Crackonosh running, including winrmsrv.exe, wincomrssrv.dll, and winlogio.exe.
According to Avast, the said files under Crackonosh will invade and disable installed Windows-based security software, including the Windows Defender and Windows Update.
The said files will also "cloak" other files of the malware, making them "undetected" by any anti-virus software by "deleting" them using a command hidden within the malware once "installed."
The said malware files will start abusing Window's Safe Mode, a mode that can be triggered once the system were abruptly shut down then restarted seconds later, in order to render the said PC system defenseless.
According to PCMag.com, Crackonosh were heavily spread across the PCs in the Philippines, Brazil, India, Poland, and the United States, with a total of more than 10,000 known victims, all of which have PCs that has antivirus software installed.
Avast said in their analysis that over $2 Million, in Monero, a cryptocurrency used by criminals, were amassed by Crackonosh from 222,000 infected systems worldwide since June of 2018.
How to Remove Crackonosh in the System
Avast also revealed ways to remove said malware manually by locating specific files within the system. According to the analysis, in order to exterminate the malware, you need to delete specific files that are Task Schedulers first.
Afterwards, you need to go to your System 32 file in your Local Disk C:, where you need to locate and delete another specific set of files.
Next, go to your Documents and Settings folder in the same local disk, then go to All Users, then Local Settings, then Application Data, then Programs, then the Common folder. From there, you need to delete a specific file.
Next, go to Windows Defender folder under Program Files, where you delete another specific file. Then, by typing in regedit.exe in your Run application, you will go straight to Registry Editor, where you will delete another set of files.
Then, restore the following default Windows services that was affected by the malware, then reinstall Windows Defender and any third-party security software.
How to Avoid Infection
The prevention for malware attacks, which are masked as free software, including cracked games, starts by knowing its direct cause.
According to Kaspersky, you should not use any pirated software. Instead, buy games and other software in legit official stores. If you are saving money, you should wait for a sale, or wait for a legit digital store who will offer several game titles for free, like the Epic Games Store.
Also avoid any obscure pirate sites, as these sites, including those that are only appeared six months ago, will have a higher probability of having an infected file. Finally, install a reliable antivirus program and never disable it. You can also update said anti-virus program so that they will update their database as well.