A Turkish-based cryptocurrency mining malware (crypto miner) campaign has been detected. Called Nitrokod and discovered by the Check Point Research team, the campaign has infected machines across 11 countries with a XMRig crypto miner.
Nitrokod Cryptominer Campaign: Some Details
The malware operators leverage popular software programs available for download on free software sites, such as Softpedia. To avoid detection, the threat actors separate any malicious activity from the downloaded fake software. The software also appears quite easily in Google search results when you search for “Google Translate Desktop download.”
Not surprisingly, the applications are advertised as “100 clean” via various banners while in truth they are trojanized. The downloads also contain a delayed mechanism that unleashed a long multi-stage infection ending with a crypto miner malware.
“After the initial software installation, the attackers delayed the infection process for weeks and deleted traces from the original installation. This allowed the campaign to successfully operate under the radar for years,” the researchers said in the report.
These are the steps the Nitrokod attacker followed to avoid detection:
- Executing the malware almost a month after the Nitrokod program was installed.
- Delivering the payload after 6 earlier stages of infected programs.
- A continuous infection chain initiated after a long delay using a scheduled task mechanism, giving the attackers time to clear the evidence.
Nearly all detected Nitrokod campaigns share the same infection chain, starting with the installation of a freely downloaded, trojanized app and ending with the miner’s installation.
“Once the user launches the new software, an actual Google Translate application is installed. In addition, an updated file is dropped which starts a series of four droppers until the actual malware is dropped,” Check Point added. Once executed, the malware connects to its command-and-control server to receive a configuration for the XMRig crypto miner and start the mining process.
Cryptomining malware operates by harvesting the resources of infected machines, significantly degrading their performance. If your computer is infected with a cryptominer, you will also suffer extreme power consumption. Note that crypto miners are usually stealth and farm these resources in a silent manner. Various devices can be affected, such as computers, smartphones and other electronic devices connected to the internet, such as IoT devices.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: