Recently, researchers from cybersecurity company Check Point reported on a cryptomining malware that has infected thousands of computers worldwide, called Nitrokod.
This malware, designed to mine Monero (XMR) clandestinely, has been infecting computing equipment around the world for years. In fact, according to the report published by the cybersecurity company's researchers, Thousands of attacks have been recorded in 11 countries.
With a malware campaign of such magnitude, Why had no one detected it until now?
Beware of Nitrokod malware!
Cybersecurity firm Check Point Research details that the Nitrokod malware uses an evasion mechanism that has allowed it to operate under the radar of security companies for years.
Check Point described the Nitrokod malware attack as a “week-long infection process,” where A long 7-stage infection is triggered, ending with the cryptomining malware, specially designed to mine Monero (XMR), which is the leading privacy cryptocurrency on the market.
The Nitrokod malware first runs almost a month after installing an infected application.
This infection mechanism has given the creators of this cryptomining malware enough time to remove traces of the original Nitrokod installation, hijacking their victims’ computing resources to mine XMR undetected.
You can get infected with Nitrokod from Google Translate, Youtube Music, among others
The Nitrokod malware, active since 2019, was created by a Turkish-speaking entity and, according to Check Point Research research, can be found on Google when users search for common apps like Google Translate and Youtube Music.
However, one point to keep in mind is that computers that have been infected with the Nitrokod malware have downloaded a popular software that does not have an official desktop version, the most popular search on the Web being for the desktop application of «Google Translate Desktop download»; a fake version of Google Translate, as there is no official desktop version.
Check Point explains that most of these apps and programs, infected with the Nitrokod malware, are built from official websites using a Chromium-based framework (Electron or CEF).
Nitrokod malware stages and infection chain
The first stage of infection Nitrokod malware starts with downloading an infected program, such as “Google Translate Desktop download”. Then, the stage of installation, in which the malware installer sends a message Post Install to the Nitrokod domain with information about the infected computer.
The Nitrokod infection chain continues with a third stage where a Delayed Dropper; a malicious program that allows malware to be hidden so that it is installed on the computer without being detected by an antivirus. This stage, according to Check Point, can last for weeks.
In the fourth stage, the Nitrokod malware Create and schedule a series of tasks and then delete all system logs, hiding the trail of the last two stages of the malware. At this point, Check Point explains, the first stages of the Nitrokod malware infection chain are separated from the next ones, making it even more difficult to track the malware and the infected applications.
The fifth stage of infection occurs after the previously scheduled tasks have been completed. At this stage, the malware performs several actions. Virtual Machine tests and check if the infected computer has firewall or Windows Defender programs installed, a antispyware Designed to complement the functions of an antivirus and detect all types of malware.
If the infected computer has protections in place, the malware adds a firewall rule to allow incoming network connections for a program that will be dropped in the next stage, called nniawsoykfo.exe, the cybersecurity company explained.
In the sixth stage, Miner dropper, the malware executes three files, “Powermanager.exe”, “nniawsoykfo.exe” and “WinRing0.sys”, focused on mining Monero. The seventh and final stage, Cryptomining Malware, runs the Nitrokod cryptomining malware.
The malware connects to its server and triggers a series of instructions in order to control the malware and the XRM miner.
Safety recommendations
As we have reported on Bit2Me News, malware has become a widespread tool in the cryptocurrency industry. Many malicious actors use this type of program to steal cryptocurrencies or, in this case, hijack a computer's computing resources to secretly mine cryptocurrencies.
In the face of risk, the most advisable thing is Avoid downloading applications and programs from unofficial websites and stay away from links that lead to pages and websites of dubious origin or that seem suspicious.
As the cybersecurity company noted, an official desktop version of Google Translate does not exist, so it is advisable to research the official resources that companies have created before downloading an app.
Finally, it is advisable to always keep your antivirus, firewall and security solutions up to date to protect yourself from any malware threats.
Continue reading: Hacker loses 5 ETH in failed Rainbow Bridge attack
