If you download and install pirated PC games, your antivirus software could be turned off, Windows security updates could cease and your beloved GPU could be hijacked to mine cryptocurrency.
So warns a new report from antivirus firm Avast, which says that a new piece of coin-mining malware called “Crackonosh” has infected more than 200,000 Windows PCs since 2018, netting the crooks behind it about $2 million in Monero cryptocurrency.
“Crackonosh is distributed along with illegal, cracked copies of popular software and searches for and disables many popular antivirus programs as part of its anti-detection and anti-forensics tactics,” wrote Avast researcher Daniel Benes.
Infected downloads containing Crackonosh include “cracked” installers of Fallout 4 Game of the Year edition, Far Cry 5, Grand Theft Auto V, NBA 2K19, Pro Evolution Soccer 2018 and, um, The Sims 4 and The Sims 4 Seasons.
If anecdotal reports cited by Avast were any indication, the cracked games played just fine, only with an extra bit of unseen menace.
Once a cracked game is installed, the malware makes some Windows Registry changes and installs a few executables that have names that sound like regular Windows services: winrmsrv.exe, winscomrssrv.dll and winlogui.exe. (The latter is the coin-mining part.) It lies in wait for a time, and then on the seventh or 10th restart after installation, boots the PC into Safe Mode.
Many cryptocurrency miners, aka “crypto-jackers,” don’t really do much damage to the machines they infect. They just want to “borrow” CPU and GPU cycles to generate coins. But Crackonosh is different.
Because antivirus software doesn’t operate in Safe Mode — even Windows’ own Microsoft Defender Antivirus, aka Windows Defender — booting the PC into Safe Mode gives Crackonosh an opportunity to strike.
It disables Microsoft/Defender, and deletes Avast, Bitdefender, F-Secure, Kaspersky, McAfee, Norton or Panda antivirus software if it’s present. It then tweaks the Registry further to disable Windows security updates.
After all that, the malware will be ready to deploy the XMRig miner to hijack your cycles and generate Monero — and your computer will be exposed to the full force of internet malware like a naked child in a cold winter.
If your machine suddenly has a lot of malware, your antivirus software is nowhere to be found and you haven’t received a Windows update in months, you might be harboring Crackonosh. Getting rid of it isn’t easy — Avast has a full set of how-to instructions in its report, but they’re pretty technical and best left to someone who knows the intricacies of the Windows Registry.
It’s best just to avoid infection altogether by not installing cracked software. If you feel you absolutely must, then scan each software installer with antivirus software before you run it. You can often just right-click the installer in your Downloads folder and then select “Scan with” the antivirus software of your choice from the pop-out menu.
“As long as people continue to download cracked software, attacks like these will continue to be profitable for attackers,” wrote Avast’s Benes. “The key take-away from this is that you really can’t get something for nothing and when you try to steal software — odds are someone is trying to steal from you.”