The Turkish-speaking group responsible for Nitrokod, which has been active since 2019 is said to have infected thousands of systems in 11 countries. Nitrokod, a crypto mining Trojan, is usually disguised as a clean Windows app and functions normally for days or weeks before its hidden Monero-crafting code is executed. What's interesting is that the apps offer a desktop version of services that are normally only available online.
"The malware is dropped from applications that are popular, but don't have an actual desktop version, such as Google Translate, keeping the malware versions in demand and exclusive," Check Point malware analyst Moshe Marelus wrote in a report Monday.
"The malware drops almost a month after the infection, and following other stages to drop files, making it very hard to analyze back to the initial stage."
Nitrokod also uses other translation applications, such as Microsoft Translator Desktop, and MP3 downloader programmes in addition to Google Translate. On some websites, malicious applications will highlight about being "100% clean," despite the fact that they are infected with mining malware. Nitrokod has been productive in spreading its malicious code through download sites such as Softpedia. Since December 2019, the Nitrokod Google Translator app has been downloaded over 112,000 times, according to Softpedia.
Nitrokod programmers, according to Check Point, are patient, taking a long time and multiple steps to conceal the malware's presence inside an infected PC before installing aggressive crypto mining code. Due to the lengthy, multi-stage infection efforts, the campaign went unnoticed for years before being discovered by cybersecurity experts.
"Most of their developed programs are easily built from the official web pages using a Chromium-based framework. For example, the Google translate desktop application is converted from the Google Translate web page using the CEF [Chromium Embedded Framework] project. This gives the attackers the ability to spread functional programs without having to develop them."
After the program is downloaded and the user launches the software, an actual Google Translate app, built using Chromium as described above, is installed and runs normally. Simultaneously, the software quietly fetches and saves a series of executables, eventually scheduling one specific.exe to run every day once unpacked. This extracts another executable that connects to a remote command-and-control server, retrieves Monero miner code configuration settings, and begins the mining process, with generated coins sent to the miscreants' wallets. To conceal its tracks, some of the early-stage code will self-destruct.
One stage also looks for known virtual-machine processes and security products, which may indicate that the software is being researched. If one is discovered, the programme will terminate. If the programme is allowed to run, it will create a firewall rule that will allow incoming network connections.
Throughout the various stages, the attackers deliver the next stage using password-protected RAR-encrypted files to make them more difficult to detect. According to Marelus, Check Point researchers were able to investigate the crypto mining campaign using the vendor's Infinity extended detection and response (XDR) platform.