A Turkish-speaking entity known as Nitrokod has been attributed to an energetic cryptocurrency mining marketing campaign that entails impersonating a desktop software for Google Translate to contaminate over 111,000 victims in 11 international locations since 2019.
“The malicious instruments can be utilized by anybody,” Maya Horowitz, vp of analysis at Verify Level, mentioned in an announcement shared with The Hacker Information. “They are often discovered by a easy internet search, downloaded from a hyperlink, and set up is an easy double-click.”
The record of nations with victims consists of the U.Ok., the U.S., Sri Lanka, Greece, Israel, Germany, Turkey, Cyprus, Australia, Mongolia, and Poland.
The marketing campaign entails serving malware via free software program hosted on standard websites akin to Softpedia and Uptodown. However in an fascinating tactic, the malware places off its execution for weeks and separates its malicious exercise from the downloaded pretend software program to keep away from detection.
The set up of the contaminated program is adopted by deployment of an replace executable to the disk that, in flip, kick-starts a four-stage assault sequence, with every dropper paving for the subsequent, till the precise malware is dropped within the seventh stage.
Upon execution of the malware, a connection to a distant command-and-control (C2) server is established to retrieve a configuration file to provoke the coin mining exercise.
A notable side of the Nitrokod marketing campaign is that the pretend software program supplied at no cost are for companies that shouldn’t have an official desktop model, akin to Yandex Translate, Microsoft Translate, YouTube Music, MP3 Obtain Supervisor, and Computer Auto Shutdown.
Moreover, the malware is dropped nearly a month after the preliminary an infection, by when the forensic path is deleted, making it difficult to interrupt down the assault and hint it again to the installer.
“What’s most fascinating to me is the truth that the malicious software program is so standard, but went underneath the radar for therefore lengthy,” Horowitz mentioned. “The attacker can simply select to change the ultimate payload of the assault, altering it from a crypto miner to, say, ransomware or banking trojan.”
