Dressed up as legitimate desktop software, this sneaky malware has infected thousands of machines across 11 countries, forcing them to unknowingly mine Monero (XMR).
Crypto mining malware has been sneakily invading hundreds of thousands of computers around the world since 2019, often masquerading as legitimate programs, such as Google Translate, new research has found.
In an Aug. 29 report by Check Point Research (CPR), a research team for American-Israeli cybersecurity provider, Check Point Software Technologies, the malware has been flying under the radar for years, thanks partly to its insidious design which delays instaling the crypto mining malware for weeks after the initial software download.
.@_CPResearch_ detected a #crypto miner #malware campaign, which potentially infected thousands of machines worldwide. Dubbed ‘Nitrokod,” the attack was initially found by Check Point XDR. Get the details, here: https://t.co/MeaLP3nh97 #cryptocurrecy #TechnologyNews #CyberSec pic.twitter.com/ANoeI7FZ1O
— Check Point Software (@CheckPointSW) August 29, 2022
Linked to a Turkish-based-speaking software developer claiming to offer “free and safe software,” the malware program invades PCs through counterfeit desktop versions of popular apps such as YouTube Music, Google Translate and Microsoft Translate.
Once a scheduled task mechanism triggers the malware installation process, it steadily goes through several steps over several days, ending with a stealth Monero (XMR) crypto mining operation being set up.
The cybersecurity firm said that the Turkish-based crypto miner dubbed ‘Nitrokod’ has infected machines across 11 countries.
According to CPR, popular software downloading sites like Softpedia and Uptodown had forgeries available under the publisher name “Nitrokod INC”.
Some of the programs had been downloaded hundreds of thousands of times, such as the fake desktop version of Google Translate on Softpedia, which even had nearly a thousand reviews, averaging a star score of 9.3 out of ten, despite Google not having an official desktop version for that program.
Screenshot by Check Point Research of the alleged fake app
According to Check Point Software Technologies, offering a desktop version of apps is a key part of the scam.
Most programs offered by Nitrokod don’t have a desktop version, making the counterfeit software appealing to users who think they’ve found a program unavailable anywhere else.
According to Maya Horowitz, VP of Research at Check Point Software, the malware riddled fakes are also available “by a simple web search”.
“What’s most interesting to me is the fact that the malicious software is so popular, yet went under the radar for so long.”
As of writing, Nitrokod’s imitation Google Translate Desktop program remains one of the main search results.
Design helps avoid detection
The malware is particularly tricky to detect, as even when a user launches the sham software, they remain none the wiser as the fake apps can also mimic the same functions that the legitimate app provides.
Most of the hacker’s programs are easily built from the official web pages using a Chromium based framework, allowing them to spread functional programs loaded with malware without developing them from the ground up.
Related: 8 sneaky crypto scams on Twitter right now
So far, over one hundred thousand people across Israel, Germany, the U.K., America, Sri Lanka, Cyprus, Australia, Greece, Turkey, Mongolia, and Poland have all fallen prey to the malware.
To avoid getting scammed by this malware and others like it, Horowitz, says several basic security tips can help reduce the risk.
“Beware of lookalike domains, spelling errors in websites, and unfamiliar email senders. Only download software only from authorised, known publishers or vendors and ensure your endpoint security is up to date and provides comprehensive protection.”