New Delhi: Check Point Research (CPR) has discovered an active cryptocurrency mining campaign imitating “Google Translate Desktop” and other free software to infect PCs. Created by a Turkish-speaking entity called Nitrokod, the campaign counts 111,000 downloads in 11 countries since 2019.
The attackers delay the infection process for weeks to evade detection. CPR has warned that attackers can easily choose to alter the malware, changing it from a crypto miner to ransomware or banking trojans, for example.
·Campaign drops malware from free software available on popular websites such as Softpedia and Uptodown.
·Malware is dropped from imitations of applications that are popular, but that do not have actual desktop versions, such as Google Translate
·Victims seen are in the UK, US, Sri Lanka, Greece, Israel, Germany, Turkey, Cyprus, Australia, Mongolia, and Poland
“We discovered a popular website that serves malicious versions through imitations of PC applications, including Google Desktop and others, which include a cryptocurrency miner,” said Maya Horowitz, VP of Research – Check Point Software.
“The malicious tools can be used by anyone. They can be found by a simple web search, downloaded from a link, and installation is a simple double-click. We know that the tools are built by a Turkish – speaking developer,” added Horowitz.
The campaign drops malware from free software available on popular websites such as Softpedia and Uptodown. And, the malicious software can also be easily found through Google when users search “Google Translate Desktop download”. After the initial software installation, the attackers delay the infection process for weeks, deleting traces from the original installation.
Figure 1. Top results for “Google Translate Desktop download”
Undetected for Years
The campaign has successfully operated under the radar for years. To avoid detection, Nitrokod authors implemented some key strategies:
·The malware is first executed almost a month after the Nitrokod program is installed
·The malware is delivered after 6 earlier stages of infected programs
·The infection chain is continued after a long delay using a scheduled task mechanism, giving the attackers time to clear all their evidence
1. Infection starts with the installation of an infected program downloaded from the Web
2. Once the user launches the new software, an actual Google Translate imitation application is installed. In addition, an update file is dropped to disk which starts a series of four droppers until the actual malware is dropped
3. After the malware is executed, the malware connects to its C&C (Command & Control) server to get a configuration for the XMRig crypto miner and starts the mining activity
Figure 2. Infection Chain Map
List of Countries with Victims: UK, US, Sri Lanka, Greece, Israel, Germany, Turkey, Cyprus, Australia, Mongolia, Poland
“Currently, the threat we identified was unknowingly installing a cryptocurrency miner, which steals computer resources and leverages them for the attacker to monetize on. Using the same attack flow, the attacker can easily choose to alter the final payload of the attack, changing it from a crypto miner to, say, ransomware or banking Trojan,” informed Horowitz.
“What’s most interesting to me is the fact that the malicious software is so popular, yet went under the radar for so long. We blocked the threat for Check Point customers, and are publishing this report so that others can be protected as well,” concluded Horowitz.