Crackonosh malware abuses Windows Safe mode to quietly mine for cryptocurrency
Malware named Crackonosh has been found to spread through pirated and cracked software that is frequently discovered through torrents, forums, and malicious websites, according to researchers at Avast. The Avast team conducted an investigation into this situation after uncovering Reddit reports of their antivirus software users curious as to why they suddenly lost the software from their system files. Avast quickly realized it was due to a malware infection, and eventually discovered that the Crackonosh malware was to blame for the intrusions. Crackonosh has been in circulation since at least June 2018.
The infection chain begins with the drop of an installer and script that modifies the Windows registry, allowing the main malware executable to run in Safe mode, says Avast. The infected system will then boot in Safe Mode during its next startup. While a Windows machine is operating in safe mode, antivirus software doesn’t work, meaning that the malicious installer can easily disable and delete Windows Defender. Crackonosh also scans for all antivirus programs such as Norton, McAfee, Kaspersky, Avast, and Bitdefender and will attempt to delete or disable them.