Multi-Stage Crypto Mining Malware Hides In Legitimate Apps With One-Month Delay Trigger

Researchers have uncovered a new multi-stage malware delivery campaign that relies on legitimate app installers distributed via popular software download sites. The delivery of the malicious payload, which includes a cryptocurrency mining program, is done in stages with long delays that can add up to almost a month.

“After the initial installation of the software, the attackers delayed the infection process for weeks and removed traces of the original installation,” researchers at security firm Check Point Software Technologies said in a new report. “This allowed the campaign to operate successfully under the radar for years.”

Trojanized app campaign started in 2019

According to the Check Point Research team, a Turkish-speaking software developer called Nitrokod is behind the campaign, which has been running since at least 2019. Nitrokod’s website claims that the developer has been creating free software applications that include video and music converters, video downloaders and music players since 2017 with a combined installed base of around 500,000 users.

Some of Nitrokod’s trojanized programs can be found on app download sites like Softpedia and Uptodown. The application that Check Point reviewed is called Google Translate Desktop and it is a desktop application that allows people to use the Google Translate service, which is normally only available as a web service through a browser.

In fact, the Google Translate Desktop app itself is built using the open source Chromium Embedded Framework (CEF) project that allows app developers to implement the Chrome browser in their apps to display web content. This allowed the authors of Nitrokod to create functional applications without too much effort.

Apart from Google Translate Desktop, the developer also distributes similar apps like Yandex Translate Desktop, Microsoft Translator Desktop, YouTube Music Desktop and Mp3 Download Manager, Pc Auto Shutdown. Check Point has identified users of these Trojanized applications in 11 countries.

Copyright © 2022 IDG Communications, Inc.

Leave a Comment