On 112,000 PCs, a deceptive phony Google Translate program downloads a cryptocurrency miner
According to new research, crypto mining malware has been covertly infecting thousands of machines worldwide since 2019 by frequently disguising itself as trusted applications like Google Translate.
Check Point Software Technologies revealed the malware has been operating undetected for years in a report released on Monday by Check Point Research (CPR), a research team for the American-Israeli cybersecurity provider. This is in part due to the malware's cunning design, which postpones the installation of the crypto mining malware for weeks after the initial software download.
.@_CPResearch_ detected a #crypto miner #malware campaign, which potentially infected thousands of machines worldwide. Dubbed ‘Nitrokod,” the attack was initially found by Check Point XDR. Get the details, here: https://t.co/MeaLP3nh97 #cryptocurrecy #TechnologyNews #CyberSec pic.twitter.com/ANoeI7FZ1O
— Check Point Software (@CheckPointSW) August 29, 2022
The malware application infects PCs through fake desktop versions of well-known apps like YouTube Music, Google Translate, and Microsoft Translate. It is linked to a Turkish-speaking software developer that advertises "free and safe software."
A covert Monero (XMR) crypto mining business is set up after a virus installation procedure is progressively initiated via a scheduled task mechanism over the course of several days.
The cybersecurity company claimed that the "Nitrokod" crypto miner, which has its headquarters in Turkey, has infected computers in 11 different nations.
According to CPR, forgeries with the publisher name Nitrokod INC were accessible on well-known software distribution websites including Softpedia and Uptodown.
Even though Google doesn't have an official desktop version of that software, the phony desktop version of Google Translate on Softpedia had nearly a thousand ratings and an average star rating of 9.3 out of 10. Some of the programs had been downloaded hundreds of thousands of times.
Check Point Software Technologies claims that a crucial element of the fraud is providing a desktop version of the programs.
The majority of Nitrokod's apps lack desktop versions, which attracts people who believe they have uncovered a program that isn't available elsewhere.
The malware-filled fakes can also be found "by a simple web search," claims Maya Horowitz, vice president of research at Check Point Software.
The idea that the harmful software is so well-known but was overlooked for such a long time intrigues me the most.
The Google Translate Desktop ripoff from Nitrokod is still one of the top search results as of this writing.
Design helps avoid detection
Because the phony apps can imitate the same features that the real apps offer, it can be difficult to identify the virus even when the user launches the bogus program.
A Chromium-based framework makes it simple to build the majority of the hacker's applications from the official web sites, enabling them to distribute usable apps laced with malware without having to create them from scratch.
Israel, Germany, the United Kingdom, the United States, Sri Lanka, Cyprus, Australia, Greece, Turkey, Mongolia, and Poland are just a few of the countries that have had over 100,000 victims of the malware so far.
Horowitz claims a few basic security tips can help lower the danger of being duped by this malware and others like it.
"Watch out for similar-looking domains, misspelled websites, and unknown email senders. Make sure your endpoint security is up to date and offers complete protection before downloading software from only authorized, recognized authors or vendors.