Researchers at Avast have identified new malware named Crackonosh, which is used to mine cryptocurrency by abusing Windows Safe Mode. The malware is spread through pirated software. The malware has been used since June 2018. The infection begins with the drop of an installer and a script that modifies the Windows registry to allow the main malware executable to run in Safe Mode. According to researchers, when the malware forces the devices to restart in Safe Mode the antivirus software does not work. The malware will also scan for other types of antivirus, not just Windows Defender, and attempt to disable them as well. Crackonosh will also delete any log files to cover its tracks. The final step of the attack downloads XMRIG, a cryptocurrency miner that leverages system power and resources to mine Monero cryptocurrency.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased