While advertising desktop versions of well-known apps, a crypto mining effort from Turkey has been found infecting thousands of PCs. This campaign's offender is known as "Nitrokod."
Nitrokod is a Turkish-speaking software company that has been operating since 2019 and promotes its free and secure software.
The majority of the programs Nitrokod provides are well-known apps without a formal desktop version. For instance, the desktop version of Google Translate is the most used Nitrokod application. Since Google hasn't made a desktop version available, the hackers' version is quite tempting.
Over 111,000 individuals have been infected by Nitrokod in 11 countries so far.
Malware operation
Free software that is hosted on websites like Uptodown and Softpedia is used by the campaign to spread malware. Every dropper in the executable's four-stage attack chain pulls the one after it. In the seventh stage, this ultimately results in the download of actual malware (XMRig) falling.
The victims of the campaign are spread throughout a number of nations, including the United Kingdom, Sri Lanka, the United States, Greece, Australia, Israel, Turkey, Cyprus, Mongolia, Poland, and Germany.
The creators of Nitrokod segregate destructive activities from the Nitrokod program that was initially downloaded in order to escape detection:
- Nearly a month after the Nitrokod software was set up, the malware is first executed.
- After six earlier phases of infected programs, the malware is deployed.
- A scheduled job technique was used to maintain the virus chain after a lengthy wait, giving the hackers time to destroy any evidence.
Using Check Point's Infinity XDR (Extended Detection and Response) platform, a prevention-focused XDR solution, CPR discovered this new crypto miner malware campaign. With the use of this technology, SOC teams can swiftly identify, look into, and react to assaults across their whole IT infrastructure. By utilizing data collected from all products, including Endpoint, Networks, Web security, and others, it detects risks inside the company and stops its growth.
Nearly a month after the first infection, the malware is removed. The third stage dropper runs five days after the last run, and the fourth stage dropper adds four more scheduled activities with intervals ranging from one to fifteen days. The phases are removed following the creation of these assignments.
Detection &prevention
The investigators will have an extremely difficult time identifying the attack and linking it to the bogus installation as a result of this. In order to obtain a configuration file to launch the XMRig mining operation, the virus also creates a connection to a distant C2 server.
Due to extended infection chains and staged infection, hackers were able to avoid detection for months. This gave them plenty of time to change the final payload into crypto miners or ransomware. In order to keep the malware versions in demand and unique, the virus is removed from popular apps like Google Translate that doesn't actually have a desktop version.