According to new research, crypto mining malware has secretly invaded hundreds of thousands of computers around the world since 2019, often disguised as legitimate programs such as Google Translate.
In a Monday report from Check Point Research (CPR), a research team for the US-Israeli cybersecurity provider, Check Point Software Technologies revealed that the malware has been flying under the radar for years, thanks in part to its insidious design that slows down the crypto mining installation. malware for weeks after the first software download.
.@_CPResearch_ detected a #crypto miner #malware campaign, which may have infected thousands of machines worldwide. Dubbed ‘Nitrokod’, the attack was initially found by Check Point XDR. Read the details here: https://t.co/MeaLP3nh97 #cryptocurrency #TechnologyNews #CyberSec pic.twitter.com/ANoeI7FZ1O
— Check Point software (@CheckPointSW) 29 August 2022
Linked to a Turkish-language software developer who claims to offer “free and safe software”, the malware program penetrates PCs through counterfeit desktop versions of popular apps such as YouTube Music, Google Translate and Microsoft Translate.
Once a scheduled task mechanism triggers the malware installation process, it steadily goes through several steps over several days, ending up setting up a stealth Monero (XMR) crypto mining operation.
The cybersecurity firm said the Turkey-based cryptominer called ‘Nitrokod’ has infected machines in 11 countries.
According to CPR, popular software download sites such as Softpedia and Uptodown had counterfeits available under the publisher name Nitrokod INC.
Some programs had been downloaded hundreds of thousands of times, such as the fake desktop version of Google Translate on Softpedia, which even had nearly a thousand reviews, with an average star rating of 9.3 out of 10, despite Google not having an official desktop version for that program.
According to Check Point Software Technologies, offering a desktop version of apps is a key part of the scam.
Most of the programs offered by Nitrokod do not have a desktop version, making the counterfeit software attractive to users who think they have found a program that is not available anywhere else.
According to Maya Horowitz, vice president of research at Check Point Software, the malware-riddled counterfeits are also available “with a simple web search.”
“What’s most interesting to me is the fact that the malicious software is so popular, yet has remained under the radar for so long.”
At the time of writing, Nitrokod’s imitation Google Translate Desktop program remains one of the top search results.
Design helps avoid detection
The malware is very difficult to detect because even when a user launches the fake software, they are left none the wiser as the fake apps can also mimic the same functions that the legitimate app offers.
Most hacker’s programs can be easily built from the official web pages using a Chromium-based framework, which allows them to distribute functional programs loaded with malware without having to develop them from scratch.
Related: 8 sneaky crypto scams on Twitter right now
So far, more than a hundred thousand people in Israel, Germany, the United Kingdom, the United States, Sri Lanka, Cyprus, Australia, Greece, Turkey, Mongolia and Poland have all fallen prey to the malware.
To avoid getting scammed by this malware and other similar malware, Horowitz says several basic security tips can help reduce the risk.
“Watch out for lookalike domains, misspellings on websites, and unknown email senders. Only download software from authorized, well-known publishers or vendors and make sure your endpoint security is up-to-date and offers comprehensive protection.”