KEY POINTS

  • The malware hijacks computers and uses them to mine cryptocurrency
  • The campaign has been operating since 2019
  • Security experts disclose how malicious actors infect and attack computers to mine cryptocurrency

Security researchers have spotted Nitrokod, a crypto miner malware campaign that has, by far, infected hundreds of thousands of systems by disguising it as a legitimate app like Google Translate.

The crypto mining campaign, reportedly launched by Turkish-speaking threat actors, has infected more than 111,000 users across 11 countries since 2019. Nitrokod software developer has been active in the industry since 2019 and is known for providing free apps that do not have desktop versions.

Cybersecurity firm Checkpoint disclosed Monday that the malware can be downloaded easily since Nitrokod's programs are found on popular sites like Uptodown and Softpedia. One of its most popular apps is the Google Translate desktop application and since Google has never released the app's desktop version, Nitrokod's corrupted version is the first link that shows up during searches.

The closure of crypto mines in Sichuan province, like this one seen in Canada, has resulted in the closure of more than 90 percent of China's Bitcoin mining capacity, state media said
The closure of crypto mines in Sichuan province, like this one seen in Canada, has resulted in the closure of more than 90 percent of China's Bitcoin mining capacity, state media said AFP / Lars Hagberg

"The software can also be easily found through Google when users search 'Google Translate Desktop download,'" the security firm revealed. But, unlike other malware campaigns, malicious actors behind Nitrokod are patient and clever.

"After the initial software installation, the attackers delayed the infection process for weeks and deleted traces from the original installation. This allowed the campaign to successfully operate under the radar for years," the report said.

The infection chain begins with the installation of the program, which unsuspecting users have downloaded from the internet. After the software execution, the Google Translate app is installed along with an updated file.

This file is the powder keg that starts a series of four droppers until the actual malicious software is installed. As soon as the malware is executed, it connects to the C2 server to obtain the XMRig crypto miner configuration and starts mining cryptocurrencies.

To make sure the malware evades detection, malicious actors will use the stage 5 dropper to execute checks. The malware exits if a security software detects it.

"The malicious tools can be used by anyone. They can be found by a simple web search, downloaded from a link, and installation is a simple double-click. We know that the tools are built by a Turkish-speaking developer," Check Point vice president Maya Horowitz said. "Currently, the threat we identified was unknowingly installing a cryptocurrency miner, which steals computer resources and leverages them for the attacker to monetize on."

"What's most interesting to me is the fact that the malicious software is so popular, yet went under the radar for so long," the executive noted. "We blocked the threat for Check Point customers, and are publishing this report so that others can be protected as well."

Read more