Researchers have uncovered a new multi-stage malware delivery campaign that relies on legitimate app installers distributed via popular software download sites. The delivery of the malicious payload, which includes a cryptocurrency mining program, is done in stages with long delays that can add up to almost a month.
“After the initial installation of the software, the attackers delayed the infection process for weeks and removed traces of the original installation,” researchers at security firm Check Point Software Technologies said in a new report. “This allowed the campaign to operate successfully under the radar for years.”
Trojanized app campaign started in 2019
According to the Check Point Research team, a Turkish-speaking software developer called Nitrokod is behind the campaign, which has been running since at least 2019. Nitrokod’s website claims that the developer has been creating free software applications that include video and music converters, video downloaders and music players since 2017 with a combined installed base of around 500,000 users.
Some of Nitrokod’s trojanized programs can be found on app download sites like Softpedia and Uptodown. The application that Check Point reviewed is called Google Translate Desktop and it is a desktop application that allows people to use the Google Translate service, which is normally only available as a web service through a browser.
In fact, the Google Translate Desktop app itself is built using the open source Chromium Embedded Framework (CEF) project that allows app developers to implement the Chrome browser in their apps to display web content. This allowed the authors of Nitrokod to create functional applications without too much effort.
Apart from Google Translate Desktop, the developer also distributes similar apps like Yandex Translate Desktop, Microsoft Translator Desktop, YouTube Music Desktop and Mp3 Download Manager, Pc Auto Shutdown. Check Point has identified users of these Trojanized applications in 11 countries.
Delayed malware deployment to avoid detection
Once the user downloads and installs an application, the deployment of malicious payloads does not happen immediately, which is a strategy to avoid detection. First, the app installer, which is built with a free tool called Inno Setup, accesses the developer’s website and downloads a password-protected RAR file containing the app files. These are implemented in Program Files (x86)\Nitrokod\[application name] path.
The application then checks for the presence of a component called update.exe. If it doesn’t find it, it deploys it to the Nitrokod folder and sets up a scheduled system task to run after every reboot. The installer then collects information about the victim’s system and sends it to the developer’s server.
Up to this point, the installation is not very unusual in how a legitimate application would behave: collecting some system data for statistical purposes and implementing what appears to be an auto-update component. However, after approximately four system reboots on four different days, update.exe downloads and deploys another component called chainlink1.07.exe. This mechanism of delaying deployment and requiring multiple restarts is probably an attempt to defeat sandbox testing systems, which don’t test application behavior across multiple restarts.
The chainlink1.07.exe stager creates four different scheduled tasks that will run with different delays. One of them, which runs every three days, uses PowerShell to delete system logs. Another is set to run every 15 days and downloads another RAR file from a different domain using the intentionally misleading name intelserviceupdate. A third scheduled task runs every other day and is set to unpack the RAR archive, if it exists, while the fourth scheduled task runs every day and is set to run another component of the archive.
Although they are set to run more frequently, the third and fourth tasks do nothing until the 15-day delayed task that downloads the RAR file runs, as otherwise there is no file to extract and no executable to run.
“At this point, all related files and evidence are removed and the next stage of the infection chain will continue after 15 days by the Windows utility schtasks.exe,” the researchers said. “In this way, the early stages of the campaign are separated from the later ones, making it very difficult to trace the source of the infection chain and block the initial infected apps.”
The new malicious component is an intermediary dropper that further prepares the system for the final stages. First, it checks running processes for known virtual machine applications and security products, and if it finds any, it stops running. If this check passes, it adds a new firewall rule for the following components, as well as exclusions for them in Windows Defender.
Finally, the dropper implements another component called nniawsoykfo1.8.exe, which then implements two other executable files called nniawsoykfo.exe and powermanager.exe. The latter is a copy of the open source XMRig cryptocurrency mining program, while the former is a component that controls the miner and connects to a domain with nvidiacenter on its behalf where the attackers’ common and control server is hosted. .
The program sends information about the system, such as idle time, number of CPU cores, whether it is a desktop or a laptop, installed antivirus programs, the version of the implemented Powermanager.exe (XMRig) and more.
Strong app usage policies, primary defense against trojanized apps
While rogue or Trojan horse apps are not a new attack vector, stealthy campaigns like this one that manage to go unnoticed for years underscore why it is critically important for organizations to have strong app usage policies and enforce them for employees. . Application whitelisting solutions can also be used on sensitive systems to restrict which applications and from where they can be downloaded and installed by employees.
Copyright © 2022 IDG Communications, Inc.