Beware: Someone is distributing cryptocurrency mining malware disguised as legitimate-looking applications, such as Google Translate, on free software download sites and through Google searches.
The crypto mining trojan, known as Nitrokod, is usually disguised as a clean Windows app and works for days or weeks as the user expects before executing the hidden Monero crafting code.
The Turkish-speaking group behind Nitrokod — which has been operating since 2019 and was discovered by Check Point Research threat hunters in late July — is said to have already infected thousands of systems in 11 countries. What’s interesting is that the apps offer a desktop version for services that are generally only found online.
“The malware is removed from applications that are popular but don’t have a true desktop version, such as Google Translate, making the malware versions sought after and exclusive,” Check Point malware analyst Moshe Marelus wrote in a report Monday.
“The malware drops almost a month after infection and follows other phases to drop files, making it very difficult to analyze back to the initial phase.”
In addition to Google Translate, other software used by Nitrokod includes other translation applications – including Microsoft Translator Desktop – and MP3 downloader programs. On some sites, the malicious applications will boast that they are “100% clean”, although they are actually loaded with mining malware.
Nitrokod has managed to use download sites like Softpedia to spread its naughty code. According to Softpedia, the Nitrokod Google Translator app has been downloaded more than 112,000 times since December 2019.
According to Check Point, the Nitrokod programmers are patient and take a lot of time and multiple steps to hide the presence of the malware on an infected PC before installing aggressive crypto mining code. Such lengthy multi-stage infection efforts allowed the campaign to go undetected by cybersecurity experts for years before it was finally discovered.
“Most of their developed programs are easy to build from the official web pages using a Chromium-based framework,” he wrote. For example, the Google translate desktop application is converted from the Google Translate webpage using the CEF [Chromium Embedded Framework] project. This gives attackers the ability to distribute functional programs without having to develop them.”
Once the boobytrap program has been downloaded and the user has launched the software, a real Google Translate app, built as described above with Chromium, is installed and works as expected. At the same time, the software quietly downloads and stores a series of executable files in the background that eventually schedule one particular .exe to run every day once it’s extracted. This extracts another executable that connects to a remote command-and-control server, retrieves configuration settings for the Monero miner code, and starts the mining process, sending generated coins to miscreants’ wallets. Some of the code at an early stage will self-destruct to cover its tracks.
“At this point, all related files and evidence are being deleted and the next phase of the infection chain is continued after 15 days by the Windows utility schtasks.exe,” Marelus wrote. “In this way, the first phases of the campaign are separated from the next, making it very difficult to trace the source of the infection chain and block the first infected applications.”
One phase also checks for known virtual machine processes and security products, which may indicate that the software is being analyzed by researchers. If one is found, the program will close. If the program continues, it will add a firewall rule to allow incoming network connections.
During the different phases, the attackers use password protected RAR encrypted files to deliver the next phase so that they are more difficult to detect.
Check Point’s researchers were able to study the crypto mining campaign through the vendor’s Infinity extended detection and response (XDR) platform, Marelus claimed. ®