A new malware dubbed Crackonosh is being used in attacks on gamers with the goal of hijacking the resources on their computers to turn them into cryptocurrency mining rigs.
Cryptocurrency prices have been soaring in recent months, with many reaching record prices. That makes mining cryptocurrency profitable, and even more so when using the powerful computers of gamers without their knowledge. The gamers cover the electricity costs and supply the hardware, while the coin mining profits go to the scammers.
Getting malware onto gamers’ devices is the key to this scam, and what better way to do that than to offer gamers free versions of popular games such as Grand Theft Auto V, Pro Evolution Soccer 2018, or NBA 2K19. These cracked games can be installed without having to make a purchase, with the games offered free in forums. Currently, most infections have come via forums, but games could easily be hosted on a website and traffic driven to those sites through malicious adverts in the search engines or third-party ad blocks on any number of high traffic websites.
The games are legitimate, although they have been cracked to allow them to be installed without having to purchase the game key. The correct game will be installed but bundled into the installer are several other files that will execute in the background and install Crackonosh malware, which is capable of disabling certain antivirus programs to ensure it is not detected, including Windows Defender. It also disables Windows Update to ensure that Windows Defender is not reactivated. Since the malware creates and stores an icon in the system tray, the user will most likely be unaware that their antivirus software has been disabled.
One of the main aims of Crackonosh malware is to deliver a legitimate cryptomining program named XMRig, although in this case, XMRig is used to hijack the CPU and GPU of victims’ devices and use those resources for generating cryptocurrency. Using XMRig on one gaming computer will not make much money, but at scale the operation is hugely profitable.
The malware distribution campaign has proven successful, with the malware found in more than a dozen countries, with the highest numbers of infected computers in the Philippines, Brazil, India, Poland, United States, and the United Kingdom. As of December 2020, there were more than 220,000 devices infected with Crackonosh malware and those devices had been used to generate at least $2 million in Monero coins at today’s prices.
This malware campaign targets gamers as their computers are well suited to mining cryptocurrency. Once infected, users are likely to experience a serious reduction in performance and much higher electricity bills, but cryptocurrency mining can also cause computers to overheat, components can wear out from overuse, and devices will ultimately fail.
It is not only cryptocurrency mining malware than can be installed along with cracked software. Any number of other malware variants could be delivered. Another recently identified campaign also uses cracked software as the cover but delivers a malware loader dubbed MosaicLoader. MosaicLoader is used to deliver cryptocurrency miners as well as Remote Access Trojans, cookie stealers, backdoors, and any other malware than the MosaicLoader operator sees fit to deliver.
Installing cracked software and games carries a risk of malware infections, and that is particularly bad news for businesses, especially those that have a BYOD policy or allow their employees to work remotely on corporate-issued devices.
Preventing malware infections such as Crackonosh or MosaicLoader should start with education. Employees should be told about the risks of installing cracked software or other unauthorized software on devices. Technical measures are also required. To block downloads from the Internet, it is worthwhile installing a DNS filter. DNS filters can be used to block content at the DNS lookup stage of a web request, before any content is downloaded.
They can block access to certain categories of websites – gaming sites and forums for examples – or specific files from being downloaded, such as game and software installers. DNS filters also use a variety of methods to assess whether sites are malicious and will block access to URLs and IP addresses known to be used for illegal and malicious purposes.
If you want to improve your defenses against malware, contact TitanHQ today. TitanHQ’s advanced spam filtering solution – SpamTitan – and DNS filter – WebTitan – block malware at source and keep you protected from phishing, ransomware, and other email and web based threats.