Watch out: someone is spreading cryptocurrency-mining malware disguised as legitimate-looking applications, such as Google Translate, on free software download sites and through Google searches.
The cryptomining Trojan, known as Nitrokod, is typically disguised as a clean Windows app and works as the user expects for days or weeks before its hidden Monero-crafting code is executed.
It’s said that the Turkish-speaking group behind Nitrokod – which has been active since 2019 and was detected by Check Point Research threat hunters at the end of July – may already have infected thousands of systems in 11 countries. What’s interesting is that the apps provide a desktop version to services generally only found online.
“The malware is dropped from applications that are popular, but don’t have an actual desktop version, such as Google Translate, keeping the malware versions in demand and exclusive,” Check Point malware analyst Moshe Marelus wrote in a report Monday.
“The malware drops almost a month after the infection, and following other stages to drop files, making it very hard to analyze back to the initial stage.”
Along with Google Translate, other software leveraged by Nitrokod include other translation applications – including Microsoft Translator Desktop – and MP3 downloader programs. On some sites, the malicious applications will boast about being “100% clean,” though they are actually loaded with mining malware.
Nitrokod has been successful using download sites such as Softpedia to spread its naughty code. According to Softpedia, the Nitrokod Google Translator app has been downloaded more than 112,000 times since December 2019.
According to Check Point, the Nitrokod programmers are patient, taking a long time and multiple steps to cover up the malware’s presence inside an infected PC before installing aggressive cryptomining code. Such lengthy, multi-stage infection efforts allowed the campaign to run undetected by cybersecurity experts for years before finally being discovered.
“Most of their developed programs are easily built from the official web pages using a Chromium-based framework,” he wrote. “For example, the Google translate desktop application is converted from the Google Translate web page using the CEF [Chromium Embedded Framework] project. This gives the attackers the ability to spread functional programs without having to develop them.”
After the booby-trapped program is downloaded and the user launches the software, an actual Google Translate app, built as described above using Chromium, is installed and runs as expected. At the same time, quietly in the background the software fetches and saves a series of executables that eventually schedule one particular .exe to run every day once unpacked. This extracts another executable that connects to a remote command-and-control server, fetches configuration settings for the Monero miner code, and starts the mining process, with generated coins sent to miscreants’ wallets. Some of the early-stage code will self destruct to cover its tracks.
“At this point, all related files and evidence are deleted and the next stage of the infection chain will continue after 15 days by the Windows utility schtasks.exe,” Marelus wrote. “This way, the first stages of the campaign are separated from the ones that follow, making it very hard to trace the source of the infection chain and block the initial infected applications.”
One stage also checks for known virtual-machine processes and security products, which might indicate the software is being analyzed by researchers. If one is found, the program will exit. If the program continues, it will add a firewall rule to allow incoming network connections.
Throughout the multiple stages, the attackers use password-protected RAR encrypted files to deliver the next stage to make them more difficult to detect.
Check Point researchers were able to study the cryptomining campaign through the vendor’s Infinity extended detection and response (XDR) platform, Marelus claimed. ®