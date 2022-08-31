A new Windows malware is able to lie dormant on your computer for up to a month before taking action, as a way of evading detection by security software. Distributed as Google Translate, YouTube Music or MP3 download programs, among other legitimate applications, the pest is actually a cryptocurrency miner, which uses the computing power of victims to generate profit for criminals.

The operation was detailed by digital security experts at Check Point Research, who cite thousands of contaminated machines in 11 countries. The malware would be of Turkish origin, delivered from sites that provide free applications for download, such as Softpedia and uptodown, which also helps the campaign to appear prominently in search results, based on its presence on sites considered legitimate. .

The following apps, with a worldwide reach, are used to spread the contamination:

Google Translate Desktop

Yandex Translate Desktop

Microsoft Translate Desktop

PC Auto Shutdown

MP3 Download Manager

YouTube Music Desktop

Criminals use a modified version of a Chromium-based browser to run services’ web interfaces, as if they were local apps, in order to spread infection (Image: Reproduction/Check Point Research)

Apps effectively deliver what they promise, which increases contamination stealth; after that, too, the resulting files would be deleted, with the compromise keeping their traces on the machine to a necessary minimum. With all this and between the different obfuscation techniques, the campaign was able to stay under the radar for at least two years, as it had been active since 2019.

This, too, would have allowed the campaign a wide reach, with the fraudulent version of Google Translate available on Softpedia alone having racked up more than 112,000 downloads before being spotted by experts. Online servers, controlled by the crooks, are even capable of delivering updates for fraudulent software as well as malicious files.

This, however, happens in different phases, with the pest being able to disguise itself as components of the operating system until, effectively, it receives the cryptocurrency mining commands and begins to generate revenue for the criminals. Advanced settings even allow you to control how much processing will be used, also as a way to prevent the user from noticing the problem.

Malicious apps are hosted on legitimate distribution services, which can even make them appear in search results (Image: Reproduction/Check Point Research)

It is noteworthy, however, that many of the promised applications do not have an official desktop app, with the Nitrokod operation, as it was called, using a Chromium-based browser adaptation to display the services’ web interface within a window. Thus, experts point out, criminals can distribute effectively functional apps, but without having to develop anything and increasing the campaign’s ability to succeed.

Check Point experts point out that the mining operation may be just one example of what is possible to do with a machine contaminated by Nitrokod, which can also receive more dangerous malware. Therefore, the security recommendation is to download only official solutions from the websites of their developers, with users avoiding supposed clients of services that do not have a dedicated desktop version.

For cryptocurrency miners, sudden computer slowdowns are signs that something is wrong. For advanced users, it is worth monitoring processes in search of something wrong, while for everyone, the recommendation is to always keep the operating system and apps up to date, as well as good security software.

Source: Check Point Research