Search This Blog

Showing posts with label Google Translate. Show all posts

Cryptominer Malware Posing as Desktop Version of Google Translate


While advertising desktop versions of well-known apps, a crypto mining effort from Turkey has been found infecting thousands of PCs. This campaign's offender is known as "Nitrokod." 

Nitrokod is a Turkish-speaking software company that has been operating since 2019 and promotes its free and secure software. The majority of the programs Nitrokod provides are well-known apps without a formal desktop version. For instance, the desktop version of Google Translate is the most used Nitrokod application. Since Google hasn't made a desktop version available, the hackers' version is quite tempting.

Over 111,000 individuals have been infected by Nitrokod in 11 countries so far.

Malware operation 

Free software that is hosted on websites like Uptodown and Softpedia is used by the campaign to spread malware. Every dropper in the executable's four-stage attack chain pulls the one after it. In the seventh stage, this ultimately results in the download of actual malware (XMRig) falling.

The victims of the campaign are spread throughout a number of nations, including the United Kingdom, Sri Lanka, the United States, Greece, Australia, Israel, Turkey, Cyprus, Mongolia, Poland, and Germany.

The creators of Nitrokod segregate destructive activities from the Nitrokod program that was initially downloaded in order to escape detection:
  • Nearly a month after the Nitrokod software was set up, the malware is first executed.
  • After six earlier phases of infected programs, the malware is deployed.
  • A scheduled job technique was used to maintain the virus chain after a lengthy wait, giving the hackers time to destroy any evidence.
Using Check Point's Infinity XDR (Extended Detection and Response) platform, a prevention-focused XDR solution, CPR discovered this new crypto miner malware campaign. With the use of this technology, SOC teams can swiftly identify, look into, and react to assaults across their whole IT infrastructure. By utilizing data collected from all products, including Endpoint, Networks, Web security, and others, it detects risks inside the company and stops its growth.

Nearly a month after the first infection, the malware is removed. The third stage dropper runs five days after the last run, and the fourth stage dropper adds four more scheduled activities with intervals ranging from one to fifteen days. The phases are removed following the creation of these assignments.

Detection &prevention  

The investigators will have an extremely difficult time identifying the attack and linking it to the bogus installation as a result of this. In order to obtain a configuration file to launch the XMRig mining operation, the virus also creates a connection to a distant C2 server.

Due to extended infection chains and staged infection, hackers were able to avoid detection for months. This gave them plenty of time to change the final payload into crypto miners or ransomware. In order to keep the malware versions in demand and unique, the virus is removed from popular apps like Google Translate that doesn't actually have a desktop version.

That 'Clean' Google Translate App is Actually Windows Crypto-mining Malware


The Turkish-speaking group responsible for Nitrokod, which has been active since 2019 is said to have infected thousands of systems in 11 countries. Nitrokod, a crypto mining Trojan, is usually disguised as a clean Windows app and functions normally for days or weeks before its hidden Monero-crafting code is executed. What's interesting is that the apps offer a desktop version of services that are normally only available online.

"The malware is dropped from applications that are popular, but don't have an actual desktop version, such as Google Translate, keeping the malware versions in demand and exclusive," Check Point malware analyst Moshe Marelus wrote in a report Monday.

"The malware drops almost a month after the infection, and following other stages to drop files, making it very hard to analyze back to the initial stage."

Nitrokod also uses other translation applications, such as Microsoft Translator Desktop, and MP3 downloader programmes in addition to Google Translate. On some websites, malicious applications will highlight about being "100% clean," despite the fact that they are infected with mining malware. Nitrokod has been productive in spreading its malicious code through download sites such as Softpedia. Since December 2019, the Nitrokod Google Translator app has been downloaded over 112,000 times, according to Softpedia.

Nitrokod programmers, according to Check Point, are patient, taking a long time and multiple steps to conceal the malware's presence inside an infected PC before installing aggressive crypto mining code. Due to the lengthy, multi-stage infection efforts, the campaign went unnoticed for years before being discovered by cybersecurity experts.

"Most of their developed programs are easily built from the official web pages using a Chromium-based framework. For example, the Google translate desktop application is converted from the Google Translate web page using the CEF [Chromium Embedded Framework] project. This gives the attackers the ability to spread functional programs without having to develop them."

After the program is downloaded and the user launches the software, an actual Google Translate app, built using Chromium as described above, is installed and runs normally. Simultaneously, the software quietly fetches and saves a series of executables, eventually scheduling one specific.exe to run every day once unpacked. This extracts another executable that connects to a remote command-and-control server, retrieves Monero miner code configuration settings, and begins the mining process, with generated coins sent to the miscreants' wallets. To conceal its tracks, some of the early-stage code will self-destruct.

One stage also looks for known virtual-machine processes and security products, which may indicate that the software is being researched. If one is discovered, the programme will terminate. If the programme is allowed to run, it will create a firewall rule that will allow incoming network connections.

Throughout the various stages, the attackers deliver the next stage using password-protected RAR-encrypted files to make them more difficult to detect. According to Marelus, Check Point researchers were able to investigate the crypto mining campaign using the vendor's Infinity extended detection and response (XDR) platform.