Share this article on:
An active cryptocurrency mining campaign that imitates Google Translate and other free software to infect PCs has been found by Check Point Research (CPR), reportedly created by a Turkish-speaking entity called Nitrokod.
The campaign has claimed roughly 111,000 victims in 11 countries since 2019, according to the CPR team, including Australia.
The campaign drops malware from free software available on popular websites such as Softpedia and uptodown. The CPR team has also found the malicious software can be easily found through Google when users search "Google Translate Desktop download".
Malicious tools can be used by anyone, with Maya Horowitz, VP of research at Check Point Software, noting that these are now very easy to obtain.
"We discovered a popular website that serves malicious versions through imitations of PC applications, including Google Desktop and others, which include a cryptocurrency miner.
"They can be found by a simple web search, downloaded from a link, and installation is a simple double click.
"We know that the tools are built by a Turkish-speaking developer."
After the initial software installation, the CPR observed the attackers delay the infection process for weeks, deleting traces from the original installation.
In order to avoid detection, Nitrokod authors implemented some key strategies to remain undetected for an extended period of time:
The Nitrokod campaign has successfully operated under the radar for years, and there are three phases in the infection chain:
The CPR team have found victims in over ten countries:
Currently, the threat identified was unknowingly installing a cryptocurrency miner, according to the CPR team which steals computer resources and leverages them for the attacker to monetise on.
Using the same attack flow, the attacker can easily choose to alter the final payload of the attack, changing it from a crypto miner to, say, ransomware or banking Trojan.
The CPR team has listed the following cyber safety tips to avoid a Trojan infection:
The Nitrokod Trojan threat has been blocked for Check Point users, according to Horowitz, noting that the company has published a report recently so that others can be protected as well.
"What's most interesting to me is the fact that the malicious software is so popular, yet went under the radar for so long," Horowitz concluded.
[Related: Experts concerned about China’s cyber security interests in Indonesia]