A crypto mining malware, disguised as a Google Translate app, has come to light recently for having forayed into thousands of computers. As per a study by Check Point Research (CPR), this malware called the ‘Nitrokod’ has been created by a Turkey-related entity as a desktop application for Google Translate. Several people have ended up downloading this app on their PCs in the absence of Google’s official desktop app for Translate services. This app, once installed, later establishes elaborate crypto mining operation set-up on the infected PCs.
Once the app is downloaded on a computer, the malware installation process is triggered via a scheduled task mechanism. Upon completion, this malware puts in place a sophisticated mining set-up for the Monero cryptocurrency, which is based on the energy-intensive proof-of-work (PoW) mining model.
This gives the controller of this campaign, hidden access to the infected computers to scam users and later damage the machines.
“After the malware is executed, it connects to its C&C server to get a configuration for the XMRig crypto miner and starts the mining activity. The software can be easily found through Google when users search ‘Google Translate Desktop download’. The applications are trojanised and contain a delayed mechanism to unleash a long multi-stage infection,” CPR said in its report.
As for now, PCs across at least eleven nations have been compromised via Nitrokod malware that has been in circulation since 2019.
Nitrokod crypto miner infected systems across 11 countries since 2019: Researchers spotted a Turkish-based crypto miner malware campaign, tracked as Nitrokod, which infected systems across 11 countries. Check Point researchers discovered a Turkish based… https://t.co/RBLezgXhcD pic.twitter.com/WK8dKE4W1x
— Shah Sheikh (@shah_sheikh) August 29, 2022
In recent times, the crypto sector has become a popular means for scamming among cyber criminals.
Scammers have been using the public trust on popular tech brands like LinkedIn, Twitter, and Google to fish out their victims and strike them.
In the former, scammers replace URLs to legitimate sites with infected ones created by them. Characters in the infected URLs are made to look like the ones in the real links. Once the target enters the fake website and gives away their login information, their assets come closer to being under the control of the scammer, who eventually drains it off the wallet.