Search This Blog

Showing posts with label Program. Show all posts

Nitrokod Crypto Miner Infected 111K+ Users with Replica of Popular Software

 

Nitrokod, a Turkish-speaking entity, has been linked to an ongoing cryptocurrency mining campaign that involves imitating a desktop application for Google Translate in order to infect over 111,000 victims in 11 countries since 2019. 

Maya Horowitz, vice president of research at Check Point, said in a statement shared with The Hacker News, "The malicious tools can be used by anyone. They can be found by a simple web search, downloaded from a link, and installation is a simple double-click." 

The victims come from the United Kingdom, the United States, Sri Lanka, Greece, Israel, Germany, Turkey, Cyprus, Australia, Mongolia, and Poland. The campaign involves the distribution of malware via free software hosted on popular websites such as Softpedia and Uptodown. 

To evade detection, the malware postpones execution for weeks and distinguishes its malicious activity from the downloaded fake software. Following the installation of the infected program, an update executable is deployed to the disc, launching a four-stage attack sequence with each dropper paving for the next, until the actual malware is dropped in the seventh stage.

When the malware is executed, a connection is established to a remote command-and-control (C2) server to retrieve a configuration file to begin the coin mining activity.

The free fake software offered by the Nitrokod campaign is for services that do not have an official desktop version, such as Yandex Translate, Microsoft Translate, YouTube Music, MP3 Download Manager, and Pc Auto Shutdown.

Furthermore, the malware is dropped nearly a month after the initial infection, by which time the forensic trail has been erased, making it difficult to deconstruct the attack and detect it back to the installer.

Horowitz concluded, "What's most interesting to me is the fact that the malicious software is so popular, yet went under the radar for so long. The attacker can easily choose to alter the final payload of the attack, changing it from a crypto miner to, say, ransomware or banking trojan."