Researchers have unearthed a crypto miner trojan Nitrokod. The Turkish-speaking trojan has infected over 111,000 individuals in 11 countries since it started in 2019. The attackers used a fake Google Translate app among several to infect their victims’ devices.
The malware impacted users from Australia, Cyprus, Germany, Greece, Israel, Mongolia, Poland, Sri Lanka, Turkey, the U.K., and the U.S. Nitrokod made spoofed applications of known brands like Google Translate, Yandex Translate, Microsoft Translate, and YouTube Music among others. The group picked applications that didn’t have desktop versions and created fake free desktop versions to attract users.
Some versions of the malicious applications read that it was ‘100 CLEAN’. However, it sent long multi-stage infections of the crypto mining malware.
Nitrokod planned the campaign in such a way that after installation, it delayed the infection attack for weeks. It used the extended time to delete the traces of malware from the original source. This was also why researchers took time to detect it as it continued for years in users’ devices.
After the installation of the infected application, it would ask for an update that would start a four-stage attack sequence. The malware is dropped in the seventh stage of the attack. Each dropper made the next dropper in the sequence run in the device. This worked itself out in six stages with regular delayed intervals to clear the evidence of the malware.
An unsuspecting user would download and install a translation app which would function just like any other as it is made using a Chromium-based framework. It would work then in seven stages including Web Installer, Installer, Delayed Dropper, Scheduled Tasks and Log clearing, VM tests with Firewall and Defender Exclusions, Miner dropper and finally, Cryptomining Malware – powermanager.exe. After the seventh stage, the app is connected to its Command and Control Server (C&C).
The C&C is controlled by cyber criminals and is used to mine cryptocurrencies. The finding was made by Check Point’s Infinity XDR (Extended Detection and Response platform).
The infection would get downloaded in the first stage following which the installer would send a Post Install message to the Nitrokod domain. In the final stage, the application collected data from the user’s device and sends it to the host. The data includes:
Last user event in minutes, time spent on the machine, list of the security products installed on the device, minutes passed since the last startup, version of the “Powermanager.exe” malware, version of the XMRig, the GUID of the machine, number of processor cores, a generated identifier of the device and the value of the registration key, “SOFTWAREMicrosoftUpdatereference.”
AI fraud, deepfake probes, SME cyber warnings, and ransomware cases highlight rising global risks in this week’s Cyber Express roundup.
French national bank authority confirmed a major data breach affecting 1.2 million bank accounts after a malicious actor stole credentials…
The real success of AI will not only depend on how powerful the technology becomes, but on how safely, fairly,…
Israel data breach totals two petabytes, with phishing up 35% and cyber influence attacks rising 170%, says Yossi Karadi.
The UMMC cyberattack halted surgeries, closed clinics statewide and triggered a federal probe into potential patient data exposure.
ESET researchers discovered PromptSpy, the first known Android malware to integrate generative AI directly into its execution flow, marking a…
This website uses cookies. By continuing to use this website you are giving consent to cookies being used.
Read More