Nitrokod's stealth mining campaign allegedly infected thousands of computers in 11 countries with malware. This was reported by Check Point Research (CPR) experts.
The attackers introduced hidden mining utilities into free applications based on popular services like Google Translate or YouTube Music.
The campaign is associated with a Turkish developer Nitrokod software, working since 2019. The company offers ostensibly free programs, of which there are no official desktop versions.
Nitrokod products. Data: CPR.
Most of these applications are easily created using the Chromium-based framework from official web pages without the need for development, the experts noted.
The popularity of the underlying source ensures high positions in the search results. The firm's software is distributed through popular free software platforms like Softpedia or uptodown, CPR experts noticed.
Search results for a request to download Google Translate Desktop. Data: CPR.
Attackers managed to go unnoticed for a long time due to the complex and multi-stage infection stage. The hidden installation module of the mining utility was activated a few weeks after the program was installed on the computer.
The process of introducing malware was divided into six stages disguised as updates. At all stages, the installer removed traces in the logs, making it difficult to detect.
After running the XMRig Monero stealth mining tool, malware activated it daily through scheduled tasks in case the computer's protection stopped it.
According to experts, the use of CPR's XDR solution made it possible to discover a large-scale hidden mining campaign. The tool was able to identify each individual malware action, track it over time, and correlate it with a single attack.
Recall that in December 2021, attackers distributed malware for mining Monero via a torrent file with a pirated version of the movie «Spider-Man: No Way Home».
Read ForkLog bitcoin news in our Telegram — cryptocurrency news, rates and analytics.