This cryptomining malware has been impersonating popular apps on free download websites for years without being detected

If there’s one thing that can’t be said about malware writers (just like cyberfraud writers) it’s that they don’t innovate: they are always looking for (and often finding) new ways to ‘sneak around’. And sometimes (and that’s the worst part) they manage to infect tens of thousands of computers for several years before anyone notices.

The latest case detected is that of a virus, created by a developer (or group of them) known only as ‘Kitrokod’, which we now know has infected more than 111,000 computers in the last 3 years posing as ‘desktop’ versions of popular web applications like Google Translate. Yandex Translate, YouTube Music or MP3 Download Manager.

In the words of Maya Horowitz, vice president of research at Check Point, the cybersecurity company that has studied and analyzed the case,

“Malicious tools can end up being used by anyone. They can be found by a simple web search, they can be downloaded from a link, and installation is a simple double-click.”

“What I find most interesting is the fact that malware is so widespread but has gone unnoticed for so long.”

Ransomware: what it is, how it infects and how to protect yourself

An infection in stages, so that no one suspects

The campaign launched by Nitrokod consists of using popular freeware download sites, such as Softpedia and Uptodown, as a means of spreading malware. This is relatively common, but his tactic to make detection more difficult is much less common…

… postpone the execution of the attached malware for several days, while its components are progressively installedto avoid linking malicious activity to the download.

After that time, and after several successive automated phases of preparation for the infection, the software that we have installed connects to a remote server to download and install its ‘payload’ (which can change at any time if Nitrokod’s goals change, moving to install, for example, ransomware).


Screenshot posted by Check Point to illustrate some of the most popular sources of spread of this malware.

In this case, said payload is a software of crypto mining that our PC will use (parasitizing our CPU resources, so be very vigilant for suspicious activity) to mine cryptocurrencies which will then be sent to the attacker’s wallet.

From Check Point they recommend, to avoid being a victim of this malware campaign or other similar ones, download the software only from the official channels of its developers or distributors. And of course, always avoid suspicious pages and messages as a source of download links.

Via | hackernews

Image | Marco Verch & – Prawny

Leave a Comment