Malware hidden in pirated games disables antivirus and mines cryptocurrency
Fanny Dufour June 28, 2021 @ 3:129pm
Researchers at Avast say they have found malware that disables antivirus and installs software to mine cryptocurrency.
This virus spreads through illegal copies of video games, targeting the most popular of them.
Read also: Minecraft mods: beware of malware!Crackonosh, a malware that disables antivirus to install mining software
Interpelled by feedback from users indicating that Avast had been removed from their computer, the company's researchers eventually found malware, which they named "Crackonosh". This virus, hidden in pirated copies of popular video games, has been circulating since 2018 and has a main purpose of installing mining software to recover cryptocurrency.
Crackonosh installs itself on its victim's PC during game installation and remains dormant for a while. One of its startup scripts, Maintenance.vbs, has a timer that waits for the seventh or tenth system startup to run serviceinstaller.msi. It also makes sure that on next boot the system will boot into safe mode.
As for serviceinstaller.msi, it only serves to allow serviceinstaller.exe to be run in safe mode, by registering it as a service. Maintenance.vbs and serviceinstaller.msi are subsequently deleted, in order to cover their tracks.
In safe mode, the antiviruses do not work and the virus takes the opportunity to disable and remove Windows Defender to install its own program imitating the Microsoft program icon. It also takes care of disabling the antivirus present on the device as well as automatic system updates and sets up systems to be able to update itself, avoid detection and analysis.
Read also: AfriCrypt: $3.6 billion in Bitcoin, the biggest crypto scam ever...A virus that spreads through pirated games
The end goal of this malware is the installation of a cryptocurrency miner, XMRig. Thanks to this system, the creators of this virus have managed to recover 9,000 XMR since June 2018, which corresponds to 2 million dollars according to the current rate. 222,000 systems are believed to have been infected worldwide.
Avast found Crackonosh in the installers of 11 pirated games, including GTA V and The Sims 4, often easy targets given their popularity with gamers. "The takeaway from all of this is that you can't get something for nothing, and when you try to steal software, there's a good chance someone is trying to steal from you", concludes Daniel Benes, the author of the paper.
If you think you have been infected with this malware, Avast details how to detect and remove it from the system in its article, cited in source.
Hacked games affected by malware © AvastSources: Gizmodo, Avast