Cryptomining malware hides in fake versions of popular software distributed through freeware download sites and avoids detection by waiting a month before running in a campaign that has infected Windows PCs around the world.
Dubbed Nitrokod, the malware campaign has been active since at least 2019 and has been detailed by cybersecurity researchers at Check Point.
Cryptominers, also known as cryptojackers, are a form of malware that secretly exploits the computing power of infected devices to mine cryptocurrency.
The process often goes unnoticed and the victim of the attack does not receive the cryptocurrency, which is sent to the malware operator, who is likely using a large network of infected devices to generate as much cryptocurrency as possible, without the cost of using their own. computing power or electricity.
WATCH: A winning strategy for cybersecurity (ZDNET special report)
Nitrokod is distributed via free software download sites that researchers say can be easily found using search engines. Software downloads claim to be desktop versions of popular web applications, even though they do not actually have desktop versions.
“Malware is removed from apps that are popular, but don’t have a real desktop version like Google Translate, keeping malware versions in-demand and exclusive,” Check Point said.
But anyone who downloads these Trojan applications will be unknowingly infected with cryptomining malware, but not until a month after the first download, due to a multi-stage process that delays the infection process to help ensure the malware is not discovered. attack.
The infection process begins when the application is downloaded via a web installer, which in turn downloads and runs an .exe installer that is used to maintain persistence on the infected machine, as well as to send information to the attacker.
Five days after this, the next stage of the process delivers a dropper that monitors when the machine is rebooted and, after the fourth instance, extracts another installer from an encrypted RAR file. Taking this multi-stage approach helps malware avoid detection in an isolated environment created by security researchers.
SEE: These are the biggest threats to cybersecurity. Make sure you don’t ignore them
At this point, evidence of the previous stages is removed from the log files to prevent the installation from being tracked, and a scheduled task is set to fire after 15 days.
At that point, another encrypted RAR file is downloaded, which delivers another dropper, which in turn delivers another dropper of an encrypted file and executes it, installing the cryptominer on the infected PC, one month after the initial download of the software.
According to Check Point, the campaign remained hidden under the radar for years and victims around the world inadvertently infected their machines with malware.
“What’s most interesting to me is the fact that malware is so popular and yet has gone unnoticed for so long,” said Maya Horowitz, vice president of research at Check Point Software.
Anyone who has downloaded the apps is urged to uninstall them and delete the malicious files. To avoid falling victim to this and other Trojan software downloads, it is recommended that users only download legitimate software from trusted websites.
While cryptojackers are arguably among the least damaging forms of malware, falling victim should still be considered a risk, particularly as the same methods used to install it could be exploited to install other, more damaging forms of malware, including ransomware and password-stealing Trojans. .
“Currently, the threat we identified was to unknowingly install a cryptocurrency miner, which steals computing resources and leverages them for monetization by the attacker,” Horowitz said.
“Using the same attack flow, the attacker can easily choose to alter the final payload of the attack, changing it from a cryptominer to, for example, a ransomware or banking Trojan,” he added.
