A Nitrokod miner has infected systems in 11 countries since 2019Security Affairs

Researchers spotted a Turkey-based crypto-miner malware campaign, tracked as Nitrokod, that infected systems in 11 countries.

Check Point researchers discovered a Turkey-based crypto miner malware campaign dubbed Nitrokod that infected machines in 11 countries

Threat actors dropped the malware from popular software available on dozens of freeware websites including Softpedia and uptodown. Experts have noticed that the software can also be easily found through Google by searching for “Google Translate Desktop Download”.

The campaign worked under the radar for years as the operators adopted several tricks, such as implementing a delayed mechanism to trigger a long, multi-step infection.

“The software can also be easily found through Google when users search for ‘Google Translate Desktop download’. While the apps display ‘100 CLEAN’ banners on some sites, the apps are actually Trojans and contain a delayed to trigger a long, multi-step infection that ends with cryptomining malware. reads the analysis published by Check Point. “After the initial installation of the software, the attackers delayed the infection process for weeks and removed the traces of the original installation. This allowed the campaign to operate successfully under the radar for years.

The malicious code is first executed almost a month after the installation of the Nitrokod software on the victim’s system, the infection chain analyzed by the researcher consists of 6 stages.

The attackers used a mechanism of planned attacks to implement delays between each step of the infection chain.

The chain of infection begins with the installation of an infected program downloaded from the Internet. Upon running the software, an actual Google Translate application is installed and an updated file is removed, which starts a series of four droppers until the actual malware is removed.
Once the malicious code is executed, the malware connects to the C2 server to get the configuration of the XMRig crypto-miner and starts mining cryptocurrencies.

In order to avoid detection, the level 5 dropper performs a few checks to determine if malicious code is running in a virtual machine or if some security programs are installed on the infected machine. If any of the security software is found, the malware exits.

Check Point shared Indicators of Compromise (IoC) for this campaign.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(Security cases piracy, Nitrokod)

Share on

Comments are closed.