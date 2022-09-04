Unsplash/Mika Baumeister Hackers invade PCs with fake app

Many apps run in browsers, with no installation required. Even so, some people look for these programs to download, as was common a few years ago. Cybercriminals took advantage of this to create installable versions of Google Translate and other programs, but with a surprise: cryptocurrency-mining malware.

The campaign was discovered by Check Point Research in July 2022. Known as Nitrokod, it has been active since 2019 and may have infected thousands of computers in 11 countries. A Turkish group is behind the attacks.

Nitrokod malware uses Google Translate and other famous services that only work on the web, no installation required. Other products were also used to disguise the attack, such as Microsoft Translator, YouTube Music and MP3 download programs.

According to Check Point, the facade programs are built in an easy way: you can convert the Translator from the web to the desktop using the Chromium Embedded Framework, for example. So criminals don’t even have the trouble to develop software.

These programs made their way to popular download sites such as Softpedia. The platform says that Nitrokod’s Google Translator Desktop has been downloaded more than 112,000 times since December 2019.

Also, by creating versions of popular services, criminals take advantage of the high volume of searches. The fake Google Translator Desktop, for example, was at the top of Google’s own search results.

The group’s goal is to use computers to mine the Monero cryptocurrency, transferring the amounts to the cybercriminals’ wallets. The process up to that, however, is quite slow and careful.

Malware infects computer little by little

One feature of Nitrokod that caught the attention of Check Point researchers was the malware’s “patience.” It is only downloaded after another six infection phases, and only runs for almost a month after installing the fake Google Translate.

Furthermore, it is based on scheduled tasks, which run at intervals of one to fifteen days. The downloaded packages come in RAR files with a password.

The program also stops working if it encounters security products or virtual machine processes, as this could indicate that it is being analyzed by researchers.

With this, criminals are able to hide evidence of malware. Not by chance, the threat took years to be detected.





