|
|
|
# Crackonosh
|
|
|
|
|
|
|
|
### What is Crackonosh?
|
|
|
|
|
|
|
|
Crackonosh is the name given to malware used to set up crypto mines on target devices with the help of XMRig, a Monero coin miner. The malware was distributed through cracked versions of software, or more specifically, the installers for torrented video games. Some of the games with known infected installers are:
|
|
|
|
|
|
|
|
* NBA 2K19
|
|
|
|
* Far Cry 5
|
|
|
|
* Euro Truck Simulator 2
|
|
|
|
* Jurassic World Evolution
|
|
|
|
* Call of Cthulhu
|
|
|
|
* We Happy Few
|
|
|
|
* Grand Theft Auto V
|
|
|
|
* The Sims 4 Seasons
|
|
|
|
* The Sims 4
|
|
|
|
* Fallout 4 GOTY
|
|
|
|
* Pro Evolution Soccer 2018
|
|
|
|
|
|
|
|
At its peak in December of 2020, Crackonosh was infecting upwards of 15,000 users a day. Though the numbers began to taper off in the following months, there were still around 1000 hits per day half a year later. This amounted to over 222,000 devices being infected and millions of dollars worth of Monero being mined through May 2021.
|
|
|
|
|
|
|
|
|
|
|
|
### How Does it Work?
|
|
|
|
|
|
|
|
|
|
|
|
The process is started when the target runs the installer for their torrented game (or otherwise cracked software). This installer registers 'Maintenance.vbs' to be run on system startup. Then, in an effort to hide the attacker’s intentions, a counter is started that waits a set amount of system restarts before continuing the process. Once the number of restarts has been reached, 'Serviceinstaller.msi' is run, which disables hibernation mode, ensures that the next boot will be in safe mode, and registers 'Serviceinstaller.exe' in order for it to run in safe mode. At this point, 'Serviceinstaller.msi' and 'Maintenance.vbs' are deleted for further obfuscation.
|
|
|
|
|
|
|
|
Because antivirus software doesn’t work in safe mode, it is an integral part of Crackonosh’s success. This step allows 'Serviceinstaller.exe' to disable and delete Windows Defender, and in its place, install a file called 'MSASCuiL.exe'. The goal of 'MSASCuiL.exe' is to make it seem like Windows Defender is still up and running by putting the Windows Security icon in the system tray (though further investigation would make it obvious something was amiss). 'Serviceinstaller.exe' also deletes any of the following antivirus software:
|
|
|
|
|
|
|
|
* Adaware
|
|
|
|
* Escan
|
|
|
|
* Kaspersky
|
|
|
|
* Norton
|
|
|
|
* Bitdefender
|
|
|
|
* F-secure
|
|
|
|
* Mcafee
|
|
|
|
* Panda
|
|
|
|
|
|
|
|
After all antivirus software is removed, 'StartupCheckLibrary.dll' and 'Winlogui.exe' are dropped. 'Winlogui.exe' contains the XMRig Monero coin miner and 'StartupCheckLibrary.dll' continues the process. 'Serviceinstaller.exe' also creates a registry entry that begins the infected devices' mining efforts on every startup.
|
|
|
|
|
|
|
|
'StartupCheckLibrary.dll' queries DNS records, and from the information it receives, gleans an IP address and port number from which to download 'Wksprtcli.dll'. This new file is used to update Crackonosh. It contains dates on which 'Winlogui.exe' is stopped, deleted, and updated to a newer version. 'Wksprtcli.dll' also installs 'Winscomrssrv.dll' and 'Winrmsrv.exe'.
|
|
|
|
|
|
|
|
Crackonosh also uses 'Winrmsrv.exe' to ensure everything stays up-to-date. P2P connections between infected devices are used to compare software versions and update where necessary. The way this works is 'Winrmsrv.exe' sends UDP packets to random IP addresses, and when it finds another device with Crackonosh installed, it does one of three things:
|
|
|
|
|
|
|
|
|
|
|
|
1. Nothing because both devices have the same version of Crackonosh
|
|
|
|
2. Send files to the other device because it has an older version of Crackonosh
|
|
|
|
3. Prepare to receive files from the other device because it has a newer version of Crackonosh
|
|
|
|
|
|
|
|
The files are sent over a TCP connection and are encrypted using SHA256.
|
|
|
|
|
|
|
|
### Obfuscation
|
|
|
|
|
|
|
|
Obviously, the purpose of Crackonosh relies on the fact that the target is unaware of its presence, so it makes sense that steps were taken to make sure there was never any reason to believe malware was running on their device. Some of these steps were explained previously, such as the deletion of antivirus software as well as the replacement of Windows Defender with 'MSASCuiL.exe'. However, there was a lot more work put into covering Crackonosh’s tracks.
|
|
|
|
|
|
|
|
On top of Windows Defender being deleted, Windows Update is stopped to prevent any overwriting of necessary files or replacement of antivirus software. The files were also named to pose as official software. For example, 'Winlogui.exe', 'Winrmsrv.exe', and 'Winscomrssrv.dll' all sound like Windows files. Furthermore, there exists a list of blocked processes. If Crackonosh detects any of the names on said list, 'Winrmsrv.exe' and 'Winlogui.exe' halt execution and wait for the next startup to begin running again. Finally, there are measures in place to determine if Crackonosh is being run in a VM. If this turns out to be true, execution is altered in order to avoid analysis of the inner workings of the malware.
|
|
|
|
|
|
|
|
All of this went into making sure Crackonosh could run interrupted, and looking at the results of its exploitation, it seems to have achieved this goal well.
|
|
|
|
|
|
|
|
### References
|
|
|
|
|
|
|
|
[Crackonosh: A New Malware Distributed in Cracked Software](https://decoded.avast.io/danielbenes/crackonosh-a-new-malware-distributed-in-cracked-software/)
|
|
|
|
[A Brief Understanding of the XMRig Monero Miner Malware](https://cyware.com/news/a-brief-understanding-of-the-xmrig-monero-miner-malware-d7c05714) |
|
|
\ No newline at end of file |
