Recently, it has come to light that a malware has been created to secretly mine Monero on computers that download specific programs.
The cyber security search institute Checkpoint Research found out about a Turkish-based malware that infected over 100,000 machines across 11 different countries. Israel, Turkey, Cyprus, Greece, Poland, Germany, Australia, Mongolia, Sri Lanka, the United States, and The United Kingdom.
The malware, dubbed “Nitrokod”, infected machines by disguising itself as translation applications.
The program which was developed by a Turkish-speaking group, distributed malware through freely downloadable programs on well-known websites like Softpedia and Uptodown.
Users may also easily find the software by searching “Google Translate Desktop download” on Google.
“The malicious tools can be used by anyone, they can be found by a simple web search, downloaded from a link, and installation is a simple double-click,” said Maya Horowitz, vice-president of research at Check Point Research. “Currently, the threat we identified was unknowingly installing a cryptocurrency miner, which steals computer resources and leverages them for the attacker to monetize on.”
How the Malware Invades Computers
Despite hiding a Trojan malware, the application is promoted as “100% clean” on websites for software downloads.
Nitrokod is also highly efficient in avoiding detection by both the user and the machine’s firewall.
The application contains a delaying mechanism in order to not draw the attention of the users.
The malware removed all remnants of the initial malware installation after delaying the infection process for weeks. By doing this, Nitrokod was able to successfully operate “undercover” for years as a result.
Undercover Mining
The malware uses the victim’s computer in order to mine the cryptocurrency “Monero”.
In order to disguise the mining software, the malware attacks the computer in a multi-stager sequence where each phase sets the ground for the malware’s next phase.
Given that the translation usability of the app runs as expected, and the malware doesn’t blatantly install external software on the device, users had no reason to suspect any wrongdoing.
Once the software has been unpacked, Nitrokod retrieves, saves, and schedules one executable file to run every day on the victim’s computer.
Then, another executable file that connects to a C2 server, collects device setup information for the Monero miner code and initiates the mining process is extracted from the files.
The mined coins are then sent to the scammers’ wallets. The malware then self-deletes all previous data, and the next stage of the attack chain repeats fifteen days later.
The attackers’ wallets receive the coins that were created. All first stage files eventually self-destruct, and the Windows tool schtasks.exe triggers the next step of the infection chain after fifteen days.
