Your Yello Ring Road To Success
GOOGLE LOGIN MY ADS MY SHOP

Nitrokod Crypto Miner Infected Over 111,000 Users with Copies of Popular Software

A Turkish-speaking entity called Nitrokod has been
attributed to an active cryptocurrency mining campaign that
involves impersonating a desktop application for Google Translate
to infect over 111,000 victims in 11 countries since 2019.

“The malicious tools can be used by anyone,” Maya Horowitz, vice
president of research at Check Point, said in a statement shared
with The Hacker News. “They can be found by a simple web search,
downloaded from a link, and installation is a simple
double-click.”

The list of countries with victims includes the U.K., the U.S.,
Sri Lanka, Greece, Israel, Germany, Turkey, Cyprus, Australia,
Mongolia, and Poland.

CyberSecurity

The campaign[1]
entails serving malware through free software hosted on popular
sites such as Softpedia and Uptodown. But in an interesting tactic,
the malware puts off its execution for weeks and separates its
malicious activity from the downloaded fake software to avoid
detection.

The installation of the infected program is followed by
deployment of an update executable to the disk that, in turn,
kick-starts a four-stage attack sequence, with each dropper paving
for the next, until the actual malware is dropped in the seventh
stage.

Upon execution of the malware, a connection to a remote
command-and-control (C2) server is established to retrieve a
configuration file to initiate the coin mining activity.

CyberSecurity

A notable aspect of the Nitrokod campaign is that the fake
software offered for free are for services that do not have an
official desktop version, such as Yandex Translate, Microsoft
Translate, YouTube Music, MP3 Download Manager, and Pc Auto
Shutdown.

Furthermore, the malware is dropped almost a month after the
initial infection, by when the forensic trail is deleted, making it
challenging to break down the attack and trace it back to the
installer.

“What’s most interesting to me is the fact that the malicious
software is so popular, yet went under the radar for so long,”
Horowitz said. “The attacker can easily choose to alter the final
payload of the attack, changing it from a crypto miner to, say,
ransomware or banking trojan.”

References

  1. ^
    campaign
    (research.checkpoint.com)

Read more