Cryptocurrency campaign infecting PCs via free software uncovered

An active cryptocurrency mining campaign that imitates Google Translate and other free software to infect PCs has been found by Check Point Research (CPR), reportedly created by a Turkish-speaking entity called Nitrokod.

The campaign has claimed roughly 111,000 victims in 11 countries since 2019, according to the CPR team, including Australia.

The campaign drops malware from free software available on popular websites such as Softpedia and uptodown. The CPR team has also found the malicious software can be easily found through Google when users search "Google Translate Desktop download".

Malicious tools can be used by anyone, with Maya Horowitz, VP of research at Check Point Software, noting that these are now very easy to obtain.

============

"We discovered a popular website that serves malicious versions through imitations of PC applications, including Google Desktop and others, which include a cryptocurrency miner.

"They can be found by a simple web search, downloaded from a link, and installation is a simple double click.

"We know that the tools are built by a Turkish-speaking developer."

After the initial software installation, the CPR observed the attackers delay the infection process for weeks, deleting traces from the original installation.

In order to avoid detection, Nitrokod authors implemented some key strategies to remain undetected for an extended period of time:

VIEW ALL

The malware is first executed almost a month after the Nitrokod program is installed.
The malware is delivered after six earlier stages of infected programs.
The infection chain is continued after a long delay using a scheduled task mechanism, giving the attackers time to clear all their evidence.

The Nitrokod campaign has successfully operated under the radar for years, and there are three phases in the infection chain:

Infection starts with the installation of an infected program downloaded from the web.
Once the user launches the new software, an actual Google Translate imitation application is installed. In addition, an update file is dropped to the disk which starts a series of four droppers until the actual malware is dropped.
After the malware is executed, the malware connects to its C&C (command and control) server to get a configuration for the XMRig crypto miner and starts the mining activity.

The CPR team have found victims in over ten countries:

UK
US
Sri Lanka
Greece
Israel
Germany
Turkey
Cyprus
Australia
Mongolia
Poland

Currently, the threat identified was unknowingly installing a cryptocurrency miner, according to the CPR team which steals computer resources and leverages them for the attacker to monetise on.

Using the same attack flow, the attacker can easily choose to alter the final payload of the attack, changing it from a crypto miner to, say, ransomware or banking Trojan.

The CPR team has listed the following cyber safety tips to avoid a Trojan infection:

Beware of lookalike domains, spelling errors in websites, and unfamiliar email senders.
Download software only from authorised, known publishers and vendors.
Prevent zero-day attacks with a holistic, end to end cyber architecture.
Make sure your endpoint security is up to date and provides comprehensive protection.

The Nitrokod Trojan threat has been blocked for Check Point users, according to Horowitz, noting that the company has published a report recently so that others can be protected as well.

"What's most interesting to me is the fact that the malicious software is so popular, yet went under the radar for so long," Horowitz concluded.

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it

newsletter

Be the first to hear the latest developments in the cyber industry.

Cryptocurrency campaign infecting PCs via free software uncovered

Introducing Cyber Daily, the new name for Cyber Security Connect

OUR PLATFORMS AND BRANDS

EVENTS AND SUMMITS

PODCASTS

LEARNING AND EDUCATION

MOMENTUM MARKETS NETWORK

LINKS

STAY CONNECTED