CyberWire Daily - Free malware with cracked software. [Research Saturday]
Episode Date: July 24, 2021Guest Christopher Budd, Senior Global Threat Communications Manager at Avast, joins Dave to talk about some research his team did when they looked into a Reddit report saying their Avast folder was em...pty and other reports like it. The team found a new malware they’re calling “Crackonosh” in part because of some possible indications that the malware author may be Czech. Crackonosh is distributed along with illegal, cracked copies of popular software and searches for and disables many popular antivirus programs as part of its anti-detection and anti-forensics tactics. The research can be found here: Crackonosh: A New Malware Distributed in Cracked Software Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello everyone and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
We started looking into this based on a Reddit post. Someone said that their Avast folder was
suddenly empty and they were wondering what was up with that. We started looking into that and eventually when we finished pulling on that thread,
we found a malware that was distributing XM rig and made for its author about $2 million in Monero.
That's Christopher Budd. He's Senior Global Threat Communications Manager at Avast.
The research we're discussing
today is titled Crackanoosh, a new malware distributed in cracked software.
And now a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface, making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization
with Zscaler
Zero Trust and AI. Learn more at zscaler.com slash security.
Let's go through it together then. I mean, take me through the infection pathway here. How would somebody find themselves of Crack-A-Notch that we are familiar
with has ended up on someone's system because someone decided that they wanted one of the
hottest new games. We've got a full, you know, a full list here. So like Grand Theft Auto 5,
someone decided, you know what, I want Grand Theft Auto 5, but I don't want to pay for it.
Someone decided, you know what, I want Grand Theft Auto 5, but I don't want to pay for it.
So they go and they get a cracked version, and they get Grand Theft Auto 5, and they get Crack-A-Noche for free.
I see. No extra charge.
Exactly, exactly. You know, it's part of the service, right?
Well, I mean, let's dig into it some here.
So you download one of these cracked versions of the software,
and how does Crack-A-Nosh go about its business of installing itself?
So you start running the installation like you would expect.
As part of the cracking process, the person or people behind Crack- behind crackinosh have made some adjustments to that installer that installer will install the cracked game it will also spin up
a vbs script that that's called maintenance.vbs and that starts the whole thing going going. That script will kick off an MSI package. It will install something called serviceinstaller.exe,
which sounds like a legitimate kind of nuts and bolts sort of Windows program,
but that's the actual main malware. The other thing that this whole script routine does
is it makes changes to the Windows registry.
It's actually going to, at some point,
boot your system up into safe mode
so that once it's in safe mode,
it's going to go through and strip out your antivirus software.
And this brings us back.
Remember I said this all started with a post saying my Avast had disappeared?
Right.
That's why it disappeared.
Because the Krakenosh installation sequence will at some point boot up in safe mode.
It's going to get rid of your security software.
It's going to turn off Windows Update. It's going to get rid of Windows Defender and put something in there that will look like Defender
and System Tray, but it's not. Right. So you still have that icon sitting down there. So you're
lulled into thinking that everything's still fine. Exactly. And so it does all that. It's going to wait a few days before
it really kicks in, which is another tactic that they're using to lay low and avoid detection.
Yeah, that was fascinating to me that there's a counter installed that lets you reboot the system
X number of times before it does that. Because I was sort of trying to think through this in my own mind,
and I would imagine if I went and downloaded some cracked software,
not that I would, but if I ever did,
that would be at the moment of installation
is when I would probably be most suspicious
and on the lookout for something being amiss.
Exactly, exactly.
And this sort of delaying tactic, it's not unique to this.
You know, we did some research, I want to say in February, completely different topic area.
We did research into some browser extensions that would install malware on your system. And part of the anti-analysis, anti-detection,
anti-forensics capabilities that that had,
once again, was to set, I believe in that case,
it was a three-day wait period
between when the malicious extension was installed
and when it would finally start doing its malicious activity.
Hmm. So what happens next?
So it does all of that, and then it downloads the XMRig coin mining software.
And basically, that's it.
It's going to start running XMRig and make Monero for the people that did this.
And what's going on in terms of it being able to communicate
with some sort of command and control server?
How's it going about that?
In terms of CNC, we didn't see a lot of activity on that.
It's not a strictly centrally controlled piece of malware
like we've seen with some others.
In this case, it's basically running XMRIG and shipping the product of its mining off to Monero wallets.
And so in terms of folks detecting this, What are your recommendations? You know, that's part of
the challenge because, you know, it does sit and wait. You know, some of the things that you can
look for are, you know, classic with coin mining. You know, your system's going to be unresponsive.
It's going to be slow. If you happen to see that your antivirus insecurity has quit running or has disappeared, that's another tip-off.
No more Windows Update is a tip-off.
But otherwise, you know, they do a pretty good job of keeping this quiet.
You know, really the biggest tip-off for anyone, first and foremost, is did you download any crack software?
Right, right. Yeah. I mean, I guess you never want to blame the victim, but
there's a pretty clear line between point A and point B here.
There is. And that's another piece of what makes this. I mean, you don't want to be complimentary of people doing bad things, but I think it is important to have proper respect in the same way that you respect a hurricane, for instance.
And targeting people who are out of the gate engaged in questionable, potentially illegal activity is pretty smart because, you know, how many people are going to go to the police basically saying, hey, you know, this thing that I tried to steal, well, someone put malware in it.
Can you help me?
Right, right, right.
Exactly.
Right.
So for you and your team who are trying to track things like this down, I mean, is that a particular challenge there itself that when you go and try to talk to the folks who've been infected here, I could imagine them hesitating to share that they were downloading crack software? Well, in this case, so for instance, a lot of the research that we
and research teams do, we don't necessarily need to do, you know, kind of in-person interviews. So
like I said, for this one, we saw the Reddit posting and we were able to start looking,
you know, seeing what we can see from, you know, from detected malware on customer systems. We can go and look at places like VirusTotal.
And so we can assemble a picture of what's happening out there
without necessarily having to talk with specific discrete individuals.
I see. I see.
Do you have any sense for how widespread this is?
You know, in terms of numbers,
it was pretty widespread.
We traced this back to about 2018.
You know, we've said,
based on our telemetry,
probably something like 222,000 systems
have at some point been infected
with this worldwide.
You know, it's made $2 million
worth of Monero for the authors. So, you know,
it has a pretty sizable footprint. And, you know, let's go back to something that you were asking
about earlier. The fact that it's been around for two to three years and no one has really
discovered it until now is a testament to the effectiveness in the targeting
that the authors of this made.
Again, targeting people who are doing questionable activity.
And it's a testament to the smart choices
that they made in constructing this
to get rid of AV, to turn off Windows updates,
to delay the running of the coin mining software.
So it's really effective at not drawing undue attention to itself.
Exactly. And that's what they want.
That's how they got this on at least 222,000 systems.
And that's what helped them make $2 million.
Any idea who's behind this or what part of the world this is coming from?
Sure. So some of the indicators that the research team saw in the malware and the installers
leads them to believe that at least part of this is made by someone in the Czech Republic.
So that's actually kind of a fun fact.
That's actually part of the naming for this.
So a krakanos in Slavic folklore and mythology is a mountain spirit.
And the research team decided to call this krakanos first
because it deals with cracked software, Crack-a-Nosh
software. And then they went with that also for the possible check connections that we found.
Our thanks to Christopher Budd from Avast for joining us. The research is titled Crack-A-Nosh, a new malware distributed in cracked software.
We'll have a link in the show notes.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Thank you. CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.