Check Point Research discovers an active cryptocurrency mining campaign imitating “Google Translate Desktop” and other free software to infect PCs. Created by a Turkish speaking entity called Nitrokod, the campaign counts 111,000 downloads in 11 countries since 2019. The attackers delay the infection process for weeks to evade detection.
CPR warns that attackers can easily choose to alter the malware, changing it from a crypto miner to ransomware or banking trojans, for example.
Campaign drops malware from free software available on popular websites such as Softpedia and uptodown.
Malware is dropped from imitations of applications that are popular, but that do not have actual desktop versions, such as Google Translate
Victims seen are in UK, US, Sri Lanka, Greece, Israel, Germany, Turkey, Cyprus, Australia, Mongolia, and Poland
CPR has discovered an active cryptocurrency mining campaign that imitates Google Desktop Translate and other free software to infect PCs. Created by a Turkish speaking entity called Nitrokod, the campaign has claimed roughly 111,000 victims in 11 countries since 2019.
The campaign drops malware from free software available on popular websites such as Softpedia and uptodown. And, the malicious software can also be easily found through Google when users search “Google Translate Desktop download”. After the initial software installation, the attackers delay the infection process for weeks, deleting traces from the original installation.
Undetected for Years
The campaign has successfully operated under the radar for years. To avoid detection, Nitrokod authors implemented some key strategies:
The malware is first executed almost a month after the Nitrokod program is installed
The malware is delivered after 6 earlier stages of infected programs
The infection chain is continued after a long delay using a scheduled task mechanism, giving the attackers time to clear all their evidence
Infection Chain
Quote: Maya Horowitz, VP of Research at Check Point Software:
“We discovered a popular website that serves malicious versions through imitations of PC applications, including Google Desktop and others, which include a cryptocurrency miner. The malicious tools can be used by anyone. They can be found by a simple web search, downloaded from a link, and installation is a simple double-click. We know that the tools are built by a Turkish - speaking developer.
Currently, the threat we identified was unknowingly installing a cryptocurrency miner, which steals computer resources and leverages them for the attacker to monetize on. Using the same attack flow, the attacker can easily choose to alter the final payload of the attack, changing it from a crypto miner to, say, ransomware or banking Trojan.
What’s most interesting to me is the fact that the malicious software is so popular, yet went under the radar for so long. We blocked the threat for Check Point customers, and are publishing this report so that others can be protected as well.”
Cyber Safety Tips:
Beware of lookalike domains, spelling errors in websites, and unfamiliar email senders
Download software only from authorized, known publishers and vendors
Prevent zero-day attacks with a holistic, end to end cyber architecture
Make sure your endpoint security is up to date and provides comprehensive protection