Analysts from Check Point have discovered an unusual Nitrokod mining malware. This malware disguises itself as various applications from Yandex.Translate to MP3 Download Manager, penetrates the victim’s system, but then waits up to 30 days before launching an attack.
Created by a Turkish-speaking company that claims to develop free and secure software, Nitrokod was discovered in June 2022 and has been active since 2019. According to experts, the miner has already infected about 111,000 machines in 11 countries, including the UK, USA, Sri Lanka, Greece, Israel, Germany, Turkey, Cyprus, Australia, Mongolia and Poland.
According to the researchers, the mining malware masquerades as various useful utilities, which are often placed in the directories of such well-known sites as Softpedia and Uptodown. A notable aspect of this campaign is the fact that the malware masquerades as services that do not officially have desktop versions, including Yandex.Translate, Microsoft Translate, YouTube Music, MP3 Download Manager, and Pc Auto Shutdown.
For example, malware can be easily found through Google if you enter the query “download Google Translate Desktop” into the search. The report notes that with Softpedia alone, the Nitrokod Google Translate applet has been downloaded more than 112,000 times.
At first glance, such software does not contain anything suspicious and performs the declared functions. However, the researchers explain that Nitrokod intentionally delays the installation of malicious components for up to a month to avoid detection.
Regardless of which program was downloaded from the Nitrokod website or from a popular software catalog, the end result is a password-protected RAR file that eludes antivirus detection and contains an executable file named after the chosen application. After running this file, the program is installed on the system along with two registry keys.
In order not to arouse suspicion and complicate the analysis, Nitrokod activates the dropper from another encrypted RAR file , received via Wget, only on the fifth day after infection. The malware then clears all system logs using PowerShell commands and after another 15 days receives the next encrypted RAR from intelserviceupdate[.]com.
The dropper of the next stage of the attack checks for antivirus software on the system, looks for processes that may belong to virtual machines, and ultimately adds a new firewall rule and is added to Windows Defender exceptions.
After that, the device is finally ready to receive the last payload. The last dropper downloads another RAR file that contains the XMRig based miner, its controller and a .sys file with settings. In the system, the malware determines whether it is running on a desktop or laptop, then connects to its command and control server (nvidiacenter[.]com) and sends a full report about the host system using HTTP POST requests.
The control server responds to the miner with instructions, telling whether it should start, what percentage of the CPU power can be used, when to contact the C&C server again, and which programs to check and exit if found.