New Malware Campaign Disguised as Google Translate Distribute Cryptocurrency Miner

Cryptocurrency mining malware has been found recently in an ongoing campaign in 11 countries disguised as Google Translate and MP3 downloaders.

In order to distribute fake applications, legitimate sites which offer free software are distributing them to their users. In addition to this, it also exposes users of search engines to malicious applications through regular visits to these sites.

Detection of this malware has been carried out by Check Point security analysts. Nitrokod is the developer of the malware, which is presented to the user as being free of malware and providing the functionality that is advertised.

Infection Chain

Most Nitrokod campaigns follow similar infection chains, starting with an infected file downloaded from the Internet, followed by the installation of a file that has been infected.

The Google Translate application is actually installed once the user launches the new software and the installation process is complete. 

A newer version of the file will then be dropped and this will start a series of four droppers that will eventually bring the actual malware to the computer.

Initially, when the malware is executed, it will connect to its command and control (C&C) server, which will configure the XMRig crypto miner to start mining as soon as the malware is activated.

In terms of search results, Nitrokod ranks highly in Google, so the website serves as a perfect catch for users who are looking for a certain service.

Here’s what the experts at Check Point stated:-

“To evade detection, during the installation of the malicious components of the malware, the software purposely delays the process for up to a month in order.”

There were over 112,190 downloads of Nitrokod’s Applet for Google Translate on Softpedia after the applet was posted there.

There is a dropper that is activated by the software so as to prevent raising suspicions and thwart sandbox analysis. During the fifth day of the infection, another encrypted RAR file was forwarded by Wget containing a dropper that was loaded from that file.

After a period of 15 days, the software will end up fetching the next encrypted RAR from the following web portal, using PowerShell commands:-

• intelserviceupdate[.]com

Recommendation

The risk of crypto-mining malware can be quite high, since it can cause hardware stress and overheat, as a result of which it can damage the hardware. 

It also affects your computer’s performance by using additional CPU resources, which in turn results in a slower computer.

While to mitigate such a situation or threat you should follow the recommendations that we have mentioned below:-

• Always avoid downloading apps from unknown sources.
• Do not download any apps that promise unofficial functionalities.
• Always verify the developer profile before downloading an app.
• Avoid clicking spammy links to download any app.

Secure Azure AD Conditional Access – Download Free E-Book