Warning: Someone is spreading cryptocurrency mining malware disguised as legitimate-looking applications, such as Google Translate, on freeware download sites and through Google searches.
The cryptomining trojan, known as Nitrokod, is usually disguised as a clean Windows application and operates as the user expects for days or weeks before its hidden Monero-creating code is executed .
The Turkish-speaking group behind Nitrokod – which has been active since 2019 and was detected by Check Point Research threat hunters in late July – is said to have already infected thousands of systems in 11 countries. What’s interesting is that the apps provide a desktop version of services that are usually only available online.
“Malware is removed from apps that are popular but don’t have an actual desktop version, like Google Translate, which keeps malware versions in-demand and exclusive,” wrote Moshe Marelus, malware analyst at Check Point. report Monday.
“The malware drops almost a month after infection and follows other stages to delete files, which makes it very difficult to analyze until the initial stage.”
In addition to Google Translate, other software operated by Nitrokod includes other translation applications – including Microsoft Translator Desktop – and MP3 download programs. On some sites, rogue apps will claim to be “100% clean”, although they are actually loaded with mining malware.
Nitrokod has managed to use download sites such as Softpedia to spread its rogue code. According to Softpedia, the Nitrokod Google Translator app has been downloaded over 112,000 times since December 2019.
According to Check Point, Nitrokod programmers are patient, time-consuming, and take several steps to conceal the presence of the malware inside an infected PC before installing aggressive cryptomining code. These lengthy, multi-step infection efforts allowed the campaign to go undetected by cybersecurity experts for years before it was finally discovered.
“Most of their developed programs are easily built from official web pages using a Chromium-based framework,” he wrote. “For example, the Google Translate desktop app is converted from the Google Translate web page using CEF [Chromium Embedded Framework] project. This gives attackers the ability to release working programs without having to develop them.”
Once the booby-trapped program is downloaded and the user launches the software, a real Google Translate application, built as described above using Chromium, is installed and runs as expected. At the same time, quietly in the background, the software fetches and saves a series of executables that eventually schedule a particular .exe file to run daily once unpacked. This extracts another executable which connects to a remote command and control server, retrieves configuration settings for the Monero miner code, and starts the mining process, with the generated coins sent to the malefactors’ wallets. Some of the early-stage code will self-destruct to cover its tracks.
“At this point, all associated files and evidence are deleted and the next step in the infection chain will continue after 15 days through the Windows utility schtasks.exe,” Marelus wrote. “In this way, the first steps of the campaign are separated from those that follow, making it very difficult to trace the source of the infection chain and block the first infected applications.”
A step also checks known virtual machine processes and security products, which could indicate that the software is being analyzed by researchers. If it finds one, the program will close. If the program continues, it will add a firewall rule to allow incoming network connections.
Throughout multiple stages, attackers use password-protected encrypted RAR files to deliver the next stage to make them harder to detect.
Check Point researchers were able to investigate the cryptomining campaign using the vendor’s Infinity Extended Detection and Response (XDR) platform, Marelus said. ®