"Nitrokod Crypto Miner Infected Over 111,000 Users with Copies of Popular Software"

Nitrokod, a Turkish-speaking entity, has been linked to an ongoing cryptocurrency mining campaign involving impersonating a desktop application for Google Translate to infect more than 111,000 victims in 11 countries since 2019. According to Check Point's vice president of research, Maya Horowitz, the malicious tools can be used by anyone. They can easily be found through a simple web search, downloaded from a link, and installed with a simple double-click. The UK, the US, Sri Lanka, Greece, Israel, Germany, Turkey, Cyprus, Australia, Mongolia, and Poland are among the countries that have fallen victim to the campaign. The malicious campaign involves the distribution of malware via free software hosted on popular websites such as Softpedia and Uptodown. In order to avoid detection, the malware postpones execution for weeks and separates its malicious activity from the downloaded fake software. Following the installation of the infected program, an update executable is deployed to the disk, kick starting a four-stage attack sequence, with each dropper paving the way for the next until the actual malware is dropped. When the malware is executed, a connection is established to a remote command-and-control (C2) server to retrieve a configuration file to begin the cryptocurrency mining activity. The free fake software offered by the Nitrokod campaign is for services that do not have an official desktop version, such as Yandex Translate, Microsoft Translate, YouTube Music, MP3 Download Manager, and PC Auto Shutdown. Furthermore, the malware is dropped nearly a month after the initial infection. By this time, the forensic trail has been erased, making it difficult to deconstruct the attack and trace it back to the installer. This article continues to discuss findings regarding the Nitrokod campaign.

THN reports "Nitrokod Crypto Miner Infected Over 111,000 Users with Copies of Popular Software"