Hackers invade PCs with a fake app.
Many apps run in browsers, with no installation required. Some people even look for these programs to download, as was common a few years ago. Cybercriminals took advantage of this to create installable versions of Google Translate and other programs, but with a surprise: cryptocurrency-mining malware.
Check Point Research discovered the campaign in July 2022. Nitrokod has been active since 2019 and may have infected thousands of computers in 11 countries. A Turkish group is behind the attacks.
Nitrokod malware uses Google Translate and other famous services that only work on the web; no installation is required. Other products, such as Microsoft Translator, YouTube Music, and MP3 download programs, were also used to disguise the attack.
According to Check Point, the facade programs are built quickly: you can convert the Translator from the web to the desktop using the Chromium Embedded Framework, for example. So criminals don’t even have the trouble of developing software.
These programs made their way to popular download sites such as Softpedia. The platform says that Nitrokod’s Google Translator Desktop has been downloaded more than 112,000 times since December 2019.
Also, by creating versions of popular services, criminals take advantage of the high volume of searches. For example, the fake Google Translator Desktop was at the top of Google’s search results.
Malware infects computers little by little.
One feature of Nitrokod that caught the attention of Check Point researchers was the malware’s “patience.” It is only downloaded after another six infection phases and only runs for almost a month after installing the fake Google Translate.
Furthermore, it is based on scheduled tasks, which run at intervals of one to fifteen days. The downloaded packages come in RAR files with a password.
The program also stops working if it encounters security products or virtual machine processes, indicating that researchers are analyzing it.
With this, criminals can hide evidence of malware. Not by chance, the threat took years to be detected.