These are Reddit users who put the tip to the ears of a team of cybersecurity specialists from the company Avast, while several wondered about the disappearance of the eponymous antivirus from their system.
After conducting an investigation, Avast – which released a report on Thursday (New window) – discovered that malware was causing this bug, and that it traveled from pirated video game software available for download on forums or torrent sites.
According to the report, the malware, dubbed Crackonosh, has been circulating since at least June 2018, notably through video games, such as NBA 2K19, Grand Theft Auto V, Far Cry 5, The sims 4 and Jurassic World Evolution.
During the installation of said software, an installer file (serviceinstaller.exe) and a script included in the torrent modify the Windows registry, which allows the malware to run incognito when the computer starts up, which automatically chooses for safe mode (without loading some files and drivers from the computer).
When Windows system is in safe mode, antivirus software does not work.
This can allow the malicious serviceinstaller.exe file to easily disable and remove Windows Defender Antivirus, continues Daniel Benes in the Avast report.
Finally, the malware deploys XMRig software, which exploits the system and its resources to mine Monero cryptocurrency (XMR).
Signs of infection
Daniel Benes points to several signs in the report that a computer is infected, starting with the slowdown, its rapid deterioration and higher than usual electricity bills.
Crackonosh also puts a brake on Windows Updates software, in addition to replacing the Windows Security shield icon in the system tray with a fake, green one.
According to the Avast report, the countries most severely affected are Brazil, India and the Philippines. Several cases have also been identified in Canada and the United States.
Note that Avast is not the only antivirus to be targeted by Crackonosh. Kaspersky, McAfee, Norton, and Bitdefender can also be disabled and removed by malware.
A profitable ploy
Avast now estimates that there are 1,000 devices affected by the malware every day, for a total of 222,000 infected computers worldwide since 2018.
About 30 variants of the malware have been identified, the last of which was released in November 2020.
Over 900 XMR coins have been mined through this scheme, which is equivalent to over US $ 2 million.
The origin of the malware remains unknown, but Avast has suspicions as to its creator, who could be Czech, meaning Crackonosh
the spirit of the mountains in folklore.
When asked when malware will lose ground, the Avast report points out that
As long as people keep downloading pirated software, attacks like this will continue and continue to pay off for thieves..
What to remember from all this, […] is that when you try to steal software, there is a good chance that someone is trying to steal from you in turn, indicates the report.