Tuesday, January 14, 2025
HomeCyber Security NewsNew Malware Campaign Disguised as Google Translate Distribute Cryptocurrency Miner

New Malware Campaign Disguised as Google Translate Distribute Cryptocurrency Miner

Published on

Cryptocurrency mining malware has been found recently in an ongoing campaign in 11 countries disguised as Google Translate and MP3 downloaders.

In order to distribute fake applications, legitimate sites which offer free software are distributing them to their users. In addition to this, it also exposes users of search engines to malicious applications through regular visits to these sites.

Detection of this malware has been carried out by Check Point security analysts. Nitrokod is the developer of the malware, which is presented to the user as being free of malware and providing the functionality that is advertised.

Infection Chain

Most Nitrokod campaigns follow similar infection chains, starting with an infected file downloaded from the Internet, followed by the installation of a file that has been infected.

The Google Translate application is actually installed once the user launches the new software and the installation process is complete. 

A newer version of the file will then be dropped and this will start a series of four droppers that will eventually bring the actual malware to the computer.

Initially, when the malware is executed, it will connect to its command and control (C&C) server, which will configure the XMRig crypto miner to start mining as soon as the malware is activated.

In terms of search results, Nitrokod ranks highly in Google, so the website serves as a perfect catch for users who are looking for a certain service.

Here’s what the experts at Check Point stated:-

“To evade detection, during the installation of the malicious components of the malware, the software purposely delays the process for up to a month in order.”

There were over 112,190 downloads of Nitrokod’s Applet for Google Translate on Softpedia after the applet was posted there.

There is a dropper that is activated by the software so as to prevent raising suspicions and thwart sandbox analysis. During the fifth day of the infection, another encrypted RAR file was forwarded by Wget containing a dropper that was loaded from that file.

After a period of 15 days, the software will end up fetching the next encrypted RAR from the following web portal, using PowerShell commands:-

  • intelserviceupdate[.]com

Recommendation

The risk of crypto-mining malware can be quite high, since it can cause hardware stress and overheat, as a result of which it can damage the hardware. 

It also affects your computer’s performance by using additional CPU resources, which in turn results in a slower computer.

While to mitigate such a situation or threat you should follow the recommendations that we have mentioned below:-

  • Always avoid downloading apps from unknown sources.
  • Do not download any apps that promise unofficial functionalities.
  • Always verify the developer profile before downloading an app.
  • Avoid clicking spammy links to download any app.

Secure Azure AD Conditional Access – Download Free E-Book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Google’s “Sign in with Google” Flaw Exposes Millions of Users’ Details

A critical flaw in Google's "Sign in with Google" authentication system has left millions...

Hackers Attacking Internet Connected Fortinet Firewalls Using Zero-Day Vulnerability

A widespread campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces on the...

Critical macOS Vulnerability Lets Hackers to Bypass Apple’s System Integrity Protection

Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that allowed attackers to bypass...

CISA Released A Free Guide to Enhance OT Product Security

To address rising cyber threats targeting critical infrastructure, the U.S. Cybersecurity and Infrastructure Security...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Google’s “Sign in with Google” Flaw Exposes Millions of Users’ Details

A critical flaw in Google's "Sign in with Google" authentication system has left millions...

Hackers Attacking Internet Connected Fortinet Firewalls Using Zero-Day Vulnerability

A widespread campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces on the...

Critical macOS Vulnerability Lets Hackers to Bypass Apple’s System Integrity Protection

Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that allowed attackers to bypass...