Researchers have unearthed a crypto miner trojan Nitrokod. The Turkish-speaking trojan has infected over 111,000 individuals in 11 countries since it started in 2019. The attackers used a fake Google Translate app among several to infect their victims’ devices.
Victims of the Malware Attack
The malware impacted users from Australia, Cyprus, Germany, Greece, Israel, Mongolia, Poland, Sri Lanka, Turkey, the U.K., and the U.S. Nitrokod made spoofed applications of known brands like Google Translate, Yandex Translate, Microsoft Translate, and YouTube Music among others. The group picked applications that didn’t have desktop versions and created fake free desktop versions to attract users.
Some versions of the malicious applications read that it was ‘100 CLEAN’. However, it sent long multi-stage infections of the crypto mining malware.
Delayed Action to Escape Detection
Nitrokod planned the campaign in such a way that after installation, it delayed the infection attack for weeks. It used the extended time to delete the traces of malware from the original source. This was also why researchers took time to detect it as it continued for years in users’ devices.
After the installation of the infected application, it would ask for an update that would start a four-stage attack sequence. The malware is dropped in the seventh stage of the attack. Each dropper made the next dropper in the sequence run in the device. This worked itself out in six stages with regular delayed intervals to clear the evidence of the malware.
The programming of the application
An unsuspecting user would download and install a translation app which would function just like any other as it is made using a Chromium-based framework. It would work then in seven stages including Web Installer, Installer, Delayed Dropper, Scheduled Tasks and Log clearing, VM tests with Firewall and Defender Exclusions, Miner dropper and finally, Cryptomining Malware – powermanager.exe. After the seventh stage, the app is connected to its Command and Control Server (C&C).
The C&C is controlled by cyber criminals and is used to mine cryptocurrencies. The finding was made by Check Point’s Infinity XDR (Extended Detection and Response platform).
Sending user data to the host
The infection would get downloaded in the first stage following which the installer would send a Post Install message to the Nitrokod domain. In the final stage, the application collected data from the user’s device and sends it to the host. The data includes:
Last user event in minutes, time spent on the machine, list of the security products installed on the device, minutes passed since the last startup, version of the “Powermanager.exe” malware, version of the XMRig, the GUID of the machine, number of processor cores, a generated identifier of the device and the value of the registration key, “SOFTWARE\Microsoft\Update\reference.”
