Researchers at Avast have identified new malware named Crackonosh, which is used to mine cryptocurrency by abusing Windows Safe Mode. The malware is spread through pirated software. The malware has been used since June 2018. The infection begins with the drop of an installer and a script that modifies the Windows registry to allow the main malware executable to run in Safe Mode. According to researchers, when the malware forces the devices to restart in Safe Mode the antivirus software does not work. The malware will also scan for other types of antivirus, not just Windows Defender, and attempt to disable them as well. Crackonosh will also delete any log files to cover its tracks. The final step of the attack downloads XMRIG, a cryptocurrency miner that leverages system power and resources to mine Monero cryptocurrency.
The malware infects approximately 1,000 new devices each day and has infected over 220,000 total devices. 30 new variants of the malware have been seen, including the latest version released in November 2020. This malware will continue to infect people’s computers as long as they continue to download pirated software. The best defense is for people to stop downloading software that they do not know the origin of or that they are trying to get for free when it normally costs money to install. Organizations can utilize endpoint monitoring such as Binary Defense’s Managed Detection and Response that looks for abnormal activity on a device and identifies attacks quickly to mitigate them.
More can be read here: https://www.zdnet.com/article/crackonosh-malware-abuses-windows-safe-mode-to-quietly-mine-for-cryptocurrency/