Crackonosh and Pirated Games


PLAYING GTA5 pirated thinking its free?! Well, you are actually mining Crypto for the cracker using your own computer's power!!

What is it?!

Well it all started with a reddit post where the author shared that his laptop had a security issues with his Avast antivirus folders turning empty ! Investigated further by Avast , the malware was detected and was called "Crackonosh". It spreads around devices mainly through pirated softwares including games like Grand theft auto 5 .

What it does?

Seems to be like one of the best long distance relationship ,  the cracker being kms away takes over the hosts' computer and uses it to perform his own crypto mining  !  Well it is not related to bitcoin , not related to Ethereum or any famous cryptocurrency. They mine a very special crypto called Monero XMR specifically made to benefit  from cyber attack. A investigation even revealed use of around 9000XMR worth $2,000,000 ! Crazy isn't it ?!

It also turns off windows updates which makes it easier for malware avoid getting kicked out by a future update !

(certain installation logs for an example)

How it happens?

People installing pirated games might very well know , the software requests users to disable antivirus before installing. Know why ?Starting with installation of malware , it saves a massive amount of corrupted files , which in turn edits the "Registry" of windows which is responsible for controlling data/file access permissions .
The malware is also capable of disabling famous antivirus like Norton, Mcafee , Avast , Kaspersky through a command :-

 "rd < AV directory > /s /q" 

 which is similar to "SELECT * FROM ANTIVIRUS"

This malware have been found in 30+ variants which in turn makes tracking and removal difficult !
Further investigated by Avast , they tracked down  certain loopholes which allowed them to uninstall the programs responsible for the malware. During which certain malware commands  in form of SHA256 were found with corresponding games :-

How to prevent?

1> This might seem obvious ,  but still first and foremost step is to avoid pirated games. We must     understand the fact that , if something is available for free , "WE" are the product !!
2> Avoid turning off antivirus , while installing any software especially when the software requests to do so! There is absolutely no need to disable antivirus/ defender to install software that are legal!
3> Scan your device regularly , even when auto-scan is on as auto-scan is optimized to complete quick hence might miss up malwares !

Already hacked by "Crackonosh"?! You can still secure your device!

Step 1> Stop internet connection immediately !
Step2> Open "Task scheduler " from windows and delete the following files:-

  • Microsoft\Windows\Maintenance\InstallWinSAT
  • Microsoft\Windows\Application Experience\StartupCheckLibrary
  • Microsoft\Windows\WDI\SrvHost\
  • Microsoft\Windows\Wininet\Winlogui\
  • Microsoft\Windows\Windows Error Reporting\winrmsrv

Step3> Open %localappdata%/programs/Common and delete a file named:- "UserAccountControlSettingDevice.dat"
Step4> Reach system32 folder and delete the following files:-

  • 7B296FC0-376B-497d-B013-58F4D9633A22-5P-1.B5841A4C-A289-439d-8115-50AB69CD450,
  • 7B296FC0-376B-497d-B013-58F4D9633A22-5P-1.B5841A4C-A289-439d-8115-50AB69CD450B.
  • diskdriver.exe, maintenance.vbs, serviceinstaller.exeserviceinstaller.msi, startupcheck.vbs,
  • startupchecklibrary.dll, windfn.exe, winlogui.exe, winrmsrv.exe, winscomrssrv.dll,wksprtcli.dll
Step5> Reinstall defender or any other third party antivirus you had already! And boom , you are done!

It is always better to prevent than to regret and cure later! Hence avoid pirated  programs , and prevent yourself from such malwares. 
Stay cyber safe and see you all in  a next blog :)