Check Point Research (CPR) discovered in late July a new cryptomining malware attack posing as a Google Translate download.
The malware, known as Nitrokod, is believed to have potentially infected thousands of machines around the world and has settled on several popular websites, including Softopedia and uptodown, without the knowledge of the site’s owners. It was also available directly through a Google search for “Google Translate Desktop download”.
Clicking to download the software installed the cryptominer on the machines of unsuspecting users. But there was never any rush to action for this particular malware: it was a multi-stage infection that only started cryptomining weeks after it was downloaded. In fact, those first few weeks included removing any telltale traces of infection from the initial raid, so that the cryptominer could remain below the surface of the machine, potentially undetected for years.
bait the hook
It is important to understand how Nitrokod attracted its victims. There is, for example, and never has been an official Google translate. desk request. Nitrokod, a Turkish-speaking software developer, offers free and secure software downloads, mainly of apps that do not have official downloadable versions, including Google Translate download.
That can be very attractive bait for people and businesses that find themselves in frequent need of the app. There is no reason not to assume that Google hasn’t officially released a desktop version, or no reason not to assume that a software developer might not have created their own interface that can act as a desktop host for the online service, and With many banners declaring the clean status of the download, people click to download the useful app without a second thought.
And since 2019, people have been doing just that, accidentally downloading cryptomining malware onto their machines.
Simplicity First
The design of most Nitrokod programs is actually quite simple: they use official web pages for the applications they offer “downloadable” versions of, via a Chromium-based framework. Therefore, the downloaded program requires minimal effort and, at least in its basic aspects, offers the functionality that it promises.
And the delay, usually at least a month, between downloading the program and the start of any malicious activity, helps separate any observed problems from the point of entry. In fact, there are typically six pre-infection stages before cryptomining malware goes to work, and one of those stages involves the removal of evidence of initial infection.
The chain of infections
This delayed action infection is a signature of many modern malware infections and a specialty of Nitrokod campaigns. It’s done by what’s known as a chain of infection, one thing leading to another, each step moving the danger away from the initial point of infection.
When you download the Google Translate desktop app, what you get is a real Google Translate desktop app. That dispels any suspicion: no alarm goes off, and very often none of the programs you’ve installed specifically to find and eradicate infections notice that something is wrong.
What comes with the Google Translate app is a secondary eyedropper. Once the user launches the new software, a real Google Translate application is installed. That starts a series of four droppers ahead of the actual malware.
The initial download
GoogleTranslateDesktop.exe is a Windows installer built with Inno Setup, a free tool for packaging and creating setup files. The installer starts by downloading an encrypted RAR file. Specifically to protect against random scans and downloads, the file is only downloaded from the attacker’s server if the user agent is set to “InnoDownloadPlugin/1.5” (Inno configuration deflated user agent).
GoogleTranslateDesktop2.50.exe is then extracted from the RAR file using “asx” as the password.
The GoogleTranslateDesktop2.50.exe installer starts by installing the Google Translate application in the following path: “C:\Program Files (x86)\Nitrokod\Google Translate Desktop\GoogleTranslateDesktop.exe”
After installation, the installer checks if there is an update.exe file in the following path “C:\ProgramData\Nitrokod”. If the file does not exist or the file version is not 1.0.7.0, the third stage dropper update.exe is discarded. A scheduled task is set to start the update at each system startup.
Finally, the installer sends a post-install message to the Nitrokod domain with information about the infected machine. All details are sent as arguments in an HTTP GET request.
the delayed fall
The stage 3 dropper (update.exe) is scheduled to run at least five days after the installation time. It does this by keeping two registry keys.
- “HKLU\Software\Update\D”: stores the date of the last execution.
- “HKLU\Software\Update\S” – acts as a counter.
Every time the updater runs (at every system boot), it checks if the data from the last run is equal to the current date. If not, the counter is incremented by one. Once the counter reaches the value 4, the fourth stage dropper (chainlink1.07.exe) is extracted from another encrypted RAR file. In reality, this operation requires at least four reboots on four different days, which would often translate to at least several weeks of normal use by the user. This mechanism is also a great way to avoid Sandbox detection, which doesn’t run for several days and multiple reboots.
scheduled tasks
The fourth stage dropper is in charge of creating four different scheduling tasks. After creating those scheduled tasks, clear all system logs using the Clear-EventLog PowerShell command. Then stages 3 and 4 of the installation process are automatically removed.
All related files and evidence quickly follow, and are deleted in the digital air. The infection then waits 15 days before reactivating itself by running the Windows utility “schtasks.exe”. That’s a significant distance between the initial incursion point and the start of any serious malware activity, making it especially difficult to track.
After 15 days, an encrypted RAR file is downloaded from intelserviceupdate[.]com through the first scheduled task. The next day, the archive is decompressed by the second scheduled task and the stage 5 archive is extracted. A day later, the third task executes the stage 5 archive.
testing the ground
The stage 5 file checks if certain programs are installed on the infected machine. It first checks a list of known virtual machine processes, then a list of primarily security products. If one of the programs is found, the program exits.
Next, a firewall rule is added to allow incoming network connections for a program to be removed in the next stage, named “nniawsoykfo.exe”.
Once that is accomplished, Windows Defender activity is excluded for the “nniawsoykfo.exe” file and for a “powermanager.exe” file, which is removed shortly after, its path is smoothed out for seamless ease.
The program then drops the latest dropper, “nniawsoykfo1.8.exe” from an encrypted RAR file, and executes it.
The malware drop
That last dropper delivers three files, the malware, the miner, and a sys file that helps them work.
The next day, the malware runs via a scheduled task and can start long-distance crypto mining.
The point of all this lag in the drop and smooth rise of the infection is to act less like a bank robber and more like a spy: sitting quietly mining resources for an indefinite period, instead of getting a lot of, for example, data at a time. , and set off all the alarms in the place. It was only detected by Check Point using the Infinity XDR (Extended Detection and Response) platform. That platform has techniques to counter attack evasion strategies and allow their activities to be observed and nullified.
XDR and similar detection platforms have multiple behavioral detection elements built in, precisely so that they can combat the new generation of stealthy threats that will not be used for ransomware, but may collect data or be used as secret cryptominers, for an indefinite period.
