An article by Avast has introduced a novel malware by the name Crackonosh. This computer virus spreads through cracked software, specifically through illicit video game copies. The malware’s main purpose is Monero crypto mining, which is quite a conspicuous activity that should be detected by security products. With that in mind, the malware’s authors have incorporated multiple evasion techniques into the malware. Despite its blatant behavior, Crackonosh has not received much cover from security vendors, and its developers have managed to mine approximately 2 million dollars’ worth of cryptocurrency.
As described by Avast, upon installation the malware disables security products such as Windows Defender. It will even replace Defender’s executable with a custom binary that will place the Windows security icon inside the system tray. Another method the malware uses to evade detection is a registry key check for VMware and VirtualBox keys. This is done in multiple stages of the attack, to avoid execution of each of the malicious payloads inside a sandbox. Finally, the actual crypto-jacking binary will verify that no analysis process resides in memory and will not execute if one is found.
When searching for IOCs of this threat in our telemetry, we found an infection that was thwarted by our product in March of this year. After examining the files involved in this breach, we can confirm they are indeed a part of this highly profitable operation. We even found a version of the file winscomrssrv.dll that was not present in the IOC section of the original Avast article, but contained the exact same functionality as the binary described there.
Crackonosh’s main agenda is evasiveness and that is why it has successfully stayed hidden since 2018. For the cyber security industry to tackle these events in real time, a change in paradigm is needed. Moving the pressure into the malware developer’s territory is exactly what Minerva Labs Hostile Environment Simulation does. By simulating a sandbox environment for each process on the system we prevent live infections from detonating in corporate endpoints.
Crackonosh’s miner prevented:
winscomrssrv.dll querying for VMware registry keys, which are simulated by Minerva: