According to new research, crypto mining malware has been covertly infecting thousands of machines worldwide since 2019 by frequently disguising itself as trusted applications like Google Translate.
The Nitrokod crypto mining Trojan often pretends to be a legitimate Windows application for days or weeks before executing its covert Monero-crafting code.
According to the Check Point Research report, the Turkish-speaking organization responsible for Nitrokod has been operating since 2019 and was discovered by threat researchers at the end of July. Therefore, they may have already infected thousands of systems across 11 nations. Interestingly, the apps offer desktop versions of services that are often only available online.
Researchers claim that the malware is disseminated through third-party websites that provide free software downloads and are housed on platforms like Uptodown and Softpedia. You can find these websites by performing a straightforward Google search.
What happens after you install the fake app?
Any time a victim uses one of the malicious programs, a simple Google Translate app is installed on their computer. The app can then use PowerShell commands to delete all system logs, establish a firewall rule, and exclude itself from Windows Defender detection.
After a few weeks, the virus gets loaded and then connects to a command and control server to obtain the configuration for the XMRig crypto miner. This enables the malicious files inside the software to start mining on the target PC.
The threat actor can switch the malicious virus that has been activated to potentially more destructive code.