- XMRig miners hiding inside popular game cracks are already making their distributors millions.
- The malware disables any AV tools running on the infected computer and replaces critical system files.
- The fact of the compromise is pretty ostensible, but the infection rates remain quite stable.
Avast warns about a new wave of malware distribution that they call “Crackonosh,” which appears to come from Czech authors. The malware is reaching computers through the voluntary download of shady executables that pose as crack files for popular games.
These are tools that promise to replace the binary of a game with a “cracked” one that can trick the anti-piracy system into believing that it’s a legit copy that has been activated with a purchased key. These cracks are very popular because they allow users to play games for free, but malware actors know this and take advantage of the situation.
The most common cracks that hide “Crackonosh” inside them are those that promise to deliver unlocks for the following game titles:
- NBA 2K19
- Grand Theft Auto V
- Far Cry 5
- The Sims 4 Seasons
- Euro Truck Simulator 2
- The Sims 4
- Jurassic World Evolution
- Fallout 4 GOTY
- Call of Cthulhu
- Pro Evolution Soccer 2018
- We Happy Few
What these cracks do is install the XMRig coin miner, which hijacks the victim’s computer resources and mines Monero for the account of the actors. Avast’s telemetry shows that at least 222,000 devices have been infected with the “Crackonosh,” making 9,000 XMR ($2 million) for the malware distributors. Admittedly, this is an impressive amount of money for doing almost nothing at all.
The signs of infection are becoming obvious immediately because Crackonosh installs itself by replacing critical Windows system files and abusing the OS’s Safe mode. It does that to disable AV tools that may be running on the infected machine and Windows Defender, which is disabled and deleted. Additionally, Windows Updates are disabled permanently, and the Windows Security icon in the tray is replaced with a green tick. If you get one of the following errors on your system after installing a cracked game, you have been infected by Crackonosh.
Because AVs are disabled, removing the malware requires manual intervention, deleting the files it dropped from all locations in the filesystem. Unfortunately, this is a pretty tedious process, but Avast has provided all the details in its write-up, like where to find each file, what exactly to delete, and what to reinstall.
In general, you should avoid downloading and installing game cracks from untrustworthy software sources. In almost all cases, these executables will infect your machine with something nasty. Remember, there’s no reason for anyone to create these files and share them for free with you.