Free malware with cracked software.
Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Christopher Budd: We started looking into this based on a Reddit post. Someone said that their Avast folder was suddenly empty and they were wondering what was up with that. We started looking into that, and eventually, when we finished pulling on that thread, we found a malware that was distributing XMRig and made for its author about two million dollars in Monero.
Dave Bittner: That's Christopher Budd. He's Senior Global Threat Communications Manager at Avast. The research we're discussing today is titled, "Crackonosh: A New Malware Distributed in Cracked Software."
Dave Bittner: Let's go through it together then. I mean, take me through the infection pathway here. How would somebody find themselves with Crackonosh on their system?
Christopher Budd: Sure. So, the key thing with Crackonosh is that we have found it every time bundled in with cracked versions of popular software. So, you know, every instance of Crackonosh that we are familiar with has ended up on someone's system because someone decided that they wanted one of the hottest new games. We've got a full list here. So, like, Grand Theft Auto 5, someone decided, you know what, I want Grand Theft Auto 5, but I don't want to pay for it. So they go and they get a cracked version and they get Grand Theft Auto 5, and they get Crackonosh for free.
Dave Bittner: I see. No extra charge.
Christopher Budd: Exactly, exactly. You know, it's part of the service, right?
Dave Bittner: (Laughs) Well, I mean, let's dig into it some here. So, you download one of these cracked versions of the software, and how does Crackonosh go about its business of installing itself?
Christopher Budd: So, you start running the installation like you would expect. As part of the cracking process, the person or people behind Crackonosh have made some adjustments to that installer. That installer will install the cracked game. It will also spin up a VBS script that's called "maintenance.vbs." And that starts the whole thing going.
Dave Bittner: Hmm.
Christopher Budd: That script will kick off an MSI package. It will install something called "serviceinstaller.exe," which sounds like a legitimate kind of nuts-and-bolts sort of Windows program, but that's the actual main malware. The other thing that this whole script routine does is it makes changes to the Windows Registry. It's actually going to, at some point, boot your system up into safe mode, so that once it's in safe mode, it's going to go through and strip out your antivirus software. And this brings us back – remember I said this all started with the post saying my Avast had disappeared? – that's why it disappeared. Because the Crackonosh installation sequence will at some point boot up in safe mode, it's going to get rid of your security software, it's going to turn off Windows Update, it's going to get rid of Windows Defender and put something in there that will look like Defender in the system tray but it's not.
Dave Bittner: Right, so you still have that icon sitting down there, so you're lulled into thinking that everything's still fine.
Christopher Budd: Exactly. And so it does all that. It's going to wait a few days before it really kicks in, which is another tactic that they're using to lay low and avoid detection.
Dave Bittner: Yeah, that was fascinating to me, that there's a counter installed that lets you reboot the system, you know, X number of times before it does that. Because I was sort of trying to think through this in my own mind, and I would imagine if I went and downloaded some cracked software – not that I would – but I ever did, you know, that would be, at the moment of installation is when I would probably be most suspicious and on the lookout for something being amiss.
Christopher Budd: Exactly. Exactly. And, you know, this sort of delaying tactic, it's not unique to this. You know, we did some research – I want to say in February – on a completely different topic area. We did research into some browser extensions that would install malware on your system. And part of the anti-analysis, anti-detection, anti-forensics capabilities that that had, once again, was to set – I believe in that case, it was a three-day wait period between when the malicious extension was installed and when it would finally start doing its malicious activity.
Dave Bittner: Hmm. So what happens next?
Christopher Budd: So, it does all of that, and then it downloads the XMRig coinmining software. And basically that's it. It's going to start running XMRig and make Monero for the people that did this.
Dave Bittner: And what's going on in terms of being able to communicate with some sort of command-and-control server? How's it going about that?
Christopher Budd: You know, in terms in terms of C&C, we didn't see a lot of activity on that. It's not a strictly centrally controlled piece of malware like we've seen with some others. In this case, it's basically running XMRig and shipping the product of its mining off to Monero wallets.
Dave Bittner: And so, in terms of folks detecting this, what are your recommendations?
Christopher Budd: You know, that's part of the challenge, because it does sit and wait. You know, some of the things that you can look for are classic with coinmining. You know, your system is going to be unresponsive. It's going to be slow. If you happen to see that your antivirus and security has quit running or has disappeared, that's another tip-off. No more Windows update is a tip-off. But otherwise, they do a pretty good job of keeping this quiet. You know, really, the biggest tip-off for anyone, first and foremost, is did you download any crack software?
Dave Bittner: Right. Right. (Laughs) Yeah. I mean, I guess you never want to blame the victim, but, you know, there's a pretty clear line between point A and point B here.
Christopher Budd: There is. And that that's another piece of what makes this – I mean, you don't want to be complimentary of people doing bad things, but I think it is important to have proper respect – in the same way that you respect a hurricane, for instance – you have to respect some of the decision making that they made, and targeting people who are, out of the gate, engaged in questionable, potentially illegal activity is pretty smart, because, you know, how many people are going to go to the police basically saying, hey, you know, this thing that I tried to steal, well, someone put malware in it. Can you help me?
Dave Bittner: Right, right. Exactly, right. So, for you and your team, who are trying to track things like this down, I mean, is that a particular challenge there itself? That when you go and, you know, try to talk to the folks who've been infected here, I could imagine them hesitating to share that they were downloading cracked software.
Christopher Budd: Well, in this case, so, for instance, a lot of the research that we and research teams do, we don't necessarily need to do in-person interviews. So, like I said, for this one, we saw the Reddit posting and we were able to start looking, you know, seeing what we can see from, you know, from detected malware on customers' systems. We can go and look at places like VirusTotal. And so we can assemble a picture of what's happening out there without necessarily having to talk with specific, discrete individuals.
Dave Bittner: I see. Do you have any sense for how widespread this is?
Christopher Budd: You know, in terms of in terms of numbers, it was pretty widespread. We traced this back to about 2018. We've said based on our telemetry, probably something like 222,000 systems have at some point been infected with this, worldwide. You know, it's made two million dollars worth of Monero for the authors. So, you know, it has a pretty sizable footprint. And, you know, let's go back to something that you were asking about earlier – the fact that it's been around for two to three years, and no one has really discovered it until now, is a testament to the effectiveness in the targeting that the authors of this made – again, targeting people who are doing questionable activity – and it's a testament to the smart choices that they made in constructing this to, you know, to get rid of AV, to turn off Windows updates, to delay the running of the coinmining software.
Dave Bittner: So it's really effective at not drawing undue attention to itself.
Christopher Budd: Exactly, exactly. And that's what they want. That's how they got this on at least 222,000 systems, and that's what helped them make two million dollars.
Dave Bittner: Any idea who's behind this or what part of the world this is coming from?
Christopher Budd: Sure. So, some of the indicators that the research team saw in the malware and the installers leads them to believe that at least part of this is made by someone in the Czech Republic. So, that's actually – kind of a fun fact – that's actually part of the naming for this. So, a Crackonosh in Slavic folklore and mythology is a mountain spirit. And the research team decided to call this Crackonosh, first because it deals with cracked software – Crackonosh, cracked software – and then they went with that also for the possible Czech connections that we found.
Dave Bittner: Our thanks to Christopher Budd from a vast for joining us. The research is titled, "Crackonosh: A New Malware Distributed in Cracked Software." We'll have a link in the show notes.
Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.