Multi-Stage Crypto Mining Malware Hides In Legitimate Apps With One-Month Delay Trigger

Credit: Dreamtime

Researchers have uncovered a new multi-stage malware delivery campaign that relies on legitimate app installers distributed via popular software download sites.

The delivery of the malicious payload, which includes a cryptocurrency mining program, is done in stages with long delays that can add up to almost a month.

“After the initial installation of the software, the attackers delayed the infection process for weeks and removed traces of the original installation,” researchers at security firm Check Point Software Technologies said in a new report. “This allowed the campaign to operate successfully under the radar for years.”

Trojanized app campaign started in 2019

According to the Check Point Research team, a Turkish-speaking software developer called Nitrokod is behind the campaign, which has been running since at least 2019. Nitrokod’s website claims that the developer has been creating free software applications that include video and music converters, video downloaders and music players since 2017 with a combined installed base of around 500,000 users.

Some of Nitrokod’s trojanized programs can be found on app download sites like Softpedia and Uptodown. The application that Check Point reviewed is called Google Translate Desktop and it is a desktop application that allows people to use the Google Translate service, which is normally only available as a web service through a browser.

In fact, the Google Translate Desktop app itself is built using the open source Chromium Embedded Framework (CEF) project that allows app developers to implement the Chrome browser in their apps to display web content. This allowed the authors of Nitrokod to create functional applications without too much effort.

Apart from Google Translate Desktop, the developer also distributes similar apps like Yandex Translate Desktop, Microsoft Translator Desktop, YouTube Music Desktop and Mp3 Download Manager, Pc Auto Shutdown. Check Point has identified users of these Trojanized applications in 11 countries.

Delayed malware deployment to avoid detection

Once the user downloads and installs an application, the deployment of malicious payloads does not happen immediately, which is a strategy to avoid detection. First, the app installer, which is built with a free tool called Inno Setup, accesses the developer’s website and downloads a password-protected RAR file containing the app files. These are implemented in Program Files (x86)\Nitrokod\[application name] path.

The application then checks for the presence of a component called update.exe. If it doesn’t find it, it deploys it to the Nitrokod folder and sets up a scheduled system task to run after every reboot. The installer then collects information about the victim’s system and sends it to the developer’s server.

Up to this point, the installation is not very unusual in how a legitimate application would behave: collecting some system data for statistical purposes and implementing what appears to be an auto-update component.

Leave a Comment