Nitrokod Crypto Miner hides in fake Microsoft and Google Translate apps
Check Point researchers have shared details of a new campaign that cybercriminals are deploying cryptocurrency mining malware. This malware is difficult to detect by unsuspecting users because it is distributed through fake and malicious Google Translate and other popular apps.
According to researchers, malware is spread via third-party websites hosted on platforms such as Uptodown and Softpedia that offer free software downloads. These sites can be accessed through a simple Google search.
Campaign analysis
The cryptocurrency mining trojan is called Nitrokod. It is widely disguised as a pure Windows program. The malware keeps the drive on hold for several days or weeks and starts it Monero mining code when it deems it safe.
“This malware is readily available and anyone can use it,” said Check Point’s vice president of research, Maya Horowitz. The list of victims is quite varied as they are spread over the following countries:
- Israel
- Turkey
- Cyprus
- Greece
- Poland
- Germany
- Australia
- Mongolia
- Sri Lanka
- United States
- Great Britain
Malware analyst at Check Point Moshe Marelus stated that malware drops around a month after infection, and dropping files is a multi-step process, making it quite complicated to trace the initial stages.
Attack tactics
The attack is one multi-step sequence where each dropper paves the way for another dropper until the actual malware is dropped. The app runs as expected when the user downloads and installs the software loaded with Nitrokod malware while the malicious Trojan works stealthily in the background. It fetches and stores multiple executables and schedules an .exe file to run each day once they are extracted.
When the files are executed, another executable is extracted, which establishes a connection to a C2 server, retrieves device configuration settings for Monero miner code, and the mining process starts. The generated coins are sent to the attackers’ wallets. At some point, all files in the first phase delete themselves, and the next phase of the infection chain starts after fifteen days through the Windows tool schtasks.exe.
“In this way, the first stages of the campaign are separated from those that follow, making it very difficult to trace the source of the infection chain and block the first infected applications.”
Moshe Marelus – Checkpoint
The malware also inspects for known virtual machine processes and installed security products. If detected, the program stops and exits.
One step also checks for known virtual machine processes and security products. If found, the program exits. If not, it continues. Cybercriminals use RAR encrypted, password protected files through the stages to make them difficult to detect.
Who are the attackers?
CheckPoint’s investigations suggests that a Turkish-speaking group of hackers called Nitrokod is behind this campaign, Check Point Research’s team revealed. It has been active since 2019. This campaign was discovered in July 2022 and has so far affected 111,000 users in 11 countries.
The method used to trap users is by offering desktop versions of legitimate apps that do not have their desktop versions. Nitrokod programmers wait patiently before launching malware, and their attacks involve multiple stages.
Software exploited
Aside from Google Translate, Nitrokod leveraged other translation apps, such as YouTube Music, Microsoft Translator Desktop, and MP3 downloaders. The malicious apps claim to be 100% clean but contain a crypto miner.
Related news
- Google ReCaptcha bug allows bots to bypass the audio captcha challenge
- Fake Brave browser site dropped malware, thanks to Google Ads
- Google, Microsoft and Oracle generated the most vulnerabilities in 2021
- Google shares details about unpatched Windows AppContainer vulnerability
- Google Drive accounted for 50% of malicious Office document downloads
