Threat Research

CoinHelper hides in repackaged installers of software, Windows 11, games, and antivirus

Christopher Budd 1 Dec 2021

Here's a reminder to make sure you’re always getting legitimate software

Attackers hide malware in cracked, illegal, unauthorized, repackaged copies of software, giving people who are themselves trying to steal software more than they bargained for. This summer, we talked about Crackonosh hiding in cracked versions of top games and how its coinmining malware netted attackers over $2 million. 

Avast Threat Labs has released new research highlighting another family of malware that uses this same trick but is spread even more widely. CoinHelper is another coinmining malware family that is bundled in with cracked, illegal, unauthorized repackaged copies of games and programs and has netted its authors more than $330,000, primarily from Monero but also Bitcoin and Ethereum.

One thing that makes CoinHelper different from Crackonosh is the huge variety of software the attackers behind CoinHelper are abusing. While we found Crackonosh exclusively in cracked games, we have found CoinHelper bundled with cracked and repackaged software including games, but also game cheats, utilities like WinRAR, versions of nearly all major vendors’ security software (including old versions of our own products) and even Google Chrome, Microsoft Office and the new Windows 11 operating system from Microsoft.


Further reading:
How do you steal millions in crypto? Easy — use copy and paste
Phishing scams are taking advantage of crypto hype


All in all, we have found CoinHelper bundled with over 2,700 different games, utilities, applications, security programs, and operating system images. Since the beginning of 2020, we have seen more than 220,000 attempts to infect Avast users with CoinHelper. The most-attacked country we saw was Russia which accounted for 83,000, or 38% of the attacks. Ukraine was the second most attacked country, with 42,000 or 19% of the attacks.

 

This makes sense, since the majority of samples we found were Russian language versions of software and on Russian language forums.

For example, here’s a cracked version of an old (circa 2016) version of our Premium product in Russian.

And here is a Russian-language forum posting offering an unauthorized version of Windows 11 for download via torrents.

How to protect yourself 

Fortunately, there’s an easy way to protect yourself from CoinHelper (and Crackonosh): don’t download illegal, cracked, unauthorized, repackaged copies of games, cheats, applications, security software, and operating systems. If you avoid illegal, cracked, unauthorized, repackaged software, you avoid the threat: every instance of CoinHelper we’ve seen is in one of these kinds of software never in legitimate, authorized, legal software.

The way you do this is you only get software from known, trusted sources, like the Windows Store or vendors’ official websites. You can also check the digital signature of an installer to verify it by right-clicking it, selecting properties and verifying the information on the signature tab.

Finally, you can always tell something is sketchy if it urges you to disable your antivirus before or during the installation. Legitimate software should never advise this. 

If you make sure you’re always getting legitimate software, you can avoid threats like CoinHelper.