Someone is using cracked copies of top video game titles to install crypto-mining malware on PCs belonging to hundreds of thousands of unsuspecting victims—a ploy that’s netted the criminals a hefty $2 million so far.
Researchers at Avast this week said newly discovered malware dubbed Crackonosh had been detected in pirated copies of PC games such as Grand Theft Auto V and NBA 2K19.
Crackonosh does not immediately go to work once the infected game is installed. Like many viruses, it takes a beat to avoid raising suspicion and catch its victims off guard. A malicious process is triggered after a handful of restarts, which forces the system into safe mode, rendering any security tools inert and easily deleted.
“Crackonosh installs itself by replacing critical Windows system files and abusing the Windows Safe mode to impair system defenses,” wrote Avast malware analyst Daniel Bene. “This malware further protects itself by disabling security software, operating system updates and employs other anti-analysis techniques to prevent discovery, making it very difficult to detect and remove.”
Avast disclosed Thursday, in fact, that it had discovered Crackonosh after hearing reports from redditors about its own antivirus software mysteriously being deleted.
Crackonosh’s main purpose is the installation of XMRig, a CPU/GPU miner. More than 222,000 infections have been detected so far, equally more than $2 million in mined Monero, a popular cryptocurrency—a clear demonstration of this attack’s profitability. The earliest infections date back to June 2018, researchers say.
Beneš said the spread of malicious coin miners would never cease as long cracked software remained widely in circulation.
“The key take-away from this is that you really can’t get something for nothing,” Beneš said, “and when you try to steal software, odds are someone is trying to steal from you.”