A new Monero cryptojacking malware has been discovered spreading via cracked versions of well-known online games. According to researchers, the threat is identified as Crackonosh. It wipes out antivirus programs, along with mining cryptocurrency in more than a dozen countries.

What was identified?

According to a recent report, the malware has been active since June 2018 and spreading via pirated versions of NBA 2K19, Pro Evolution Soccer 2018, Grand Theft Auto V, and gamers can download them for free.
  • In the case of Crackonosh, the ultimate goal is to install the coin miner XMRig to mine Monero cryptocurrency from within the cracked software downloaded to the infected device.
  • So far, attackers behind this recent campaign have mined 9000 XMR (more than $2 million) in total.
  • Additionally, the malware is spreading fast, infecting 222,000 unique devices in more than a dozen countries since last December. As of May, it is still getting about 1,000 hits in a single day.
  • Moreover, the most targeted countries are the Philippines with 18,448 victims, followed by Brazil (16,584), India (13,779), Poland (12,727), the U.S. (11,856); and the U.K (8,946).

The malware disables Windows Update/Defender by deleting a list of registry entries and turns off automatic updates. Moreover, it installs MSASCuiL[.]exe file that puts the icon of Windows Security to the system tray.

The infection chain

The infection chain begins as soon as someone downloads and installs the cracked software. The installer runs maintenance[.]vbs. This kicks off the installation process using serviceinstaller[.]msi.
  • Now, the serviceinstaller[.]msi process registers and runs the main malware .exe file identified as serviceinstaller[.]exe. It drops another file, StartupCheckLibrary[.]DLL, that downloads and runs wksprtcli[.]dll. 
  • This file (wksprtcli[.]dll) extracts newer winlogui[.]exe file and then drops the winscomrssrv[.]dll and winrmsrv[.]exe that it stores decrypts, and then places in the folder.


Cracked software is one of the major sources used by attackers to spread malware, and threats such as Crackonosh continue to exploit the interest of users in such unreliable sources. Therefore, users are recommended to use genuine software to prevent any cyber-incidents.

Cyware Publisher