Researchers at Check Point Research said they uncovered a Turkish-based cryptomining campaign, dubbed “Nitrokod”, which potentially has infected thousands of machines across the globe since 2019.
“At the campaign’s core there are several useful utilities. Created by a Turkish speaking entity, the campaign dropped malware from free software available on popular websites. The software can also be easily found through Google when users search "Google Translate Desktop download",” the researchers said.
While the apps state they are clean, in fact they are malicious and contain a delayed mechanism to unleash a long multi-stage infection that ends with a cryptomining malware. Once the app is installed, the threat actors behind the campaign delay the infection process for weeks and delete traces from the original installation, which allowed them operate stealthily for years.
The campaign, according to the researchers, targeted victims in the UK, the US, Sri Lanka, Greece, Israel, Germany, Turkey, Cyprus, Australia, Mongolia, and Poland.
The notable aspect of this campaign is that the malicious software Nitrokod offers are popular programs that do not have an official desktop version, such as Yandex Translate, Microsoft Translate, YouTube Music, MP3 Download Manager, and Pc Auto Shutdown.
Once the new software is run, an actual Google Translate app is installed. In addition, an updated file is dropped which starts a series of four droppers until the actual malware is downloaded. Upon execution, the malware connects to its command and control server to fetch a configuration for the XMRig crypto miner and starts the mining activity.