A Google Translate desktop app is hiding crypto-mining malware

1 Sep 2022

Image: © monticellllo/Stock.adobe.com

Check Point said the crypto-mining campaign has been active since 2019, infecting an estimated 111,000 victims in 11 countries.

A malicious campaign mimicking Google Translate and other free software is infecting computers with crypto-mining malware, according to a new report.

Researchers at Check Point said the campaign drops the malware from unofficial desktop versions of popular apps. This Turkish-based campaign, called Nitrokod, has been active since 2019 and has claimed victims in 11 countries.

The report said that Nitrokod’s software is typically downloaded on platforms like Softpedia and Uptodown. When a user launches the new software, an application such as Google Translate is installed.

However, an updated file is also dropped, which starts a series of four droppers until the actual malware is dropped. After the malware is executed, it connects to the command and control server to start the mining activity.

“Currently, the threat we identified was unknowingly installing a cryptocurrency miner, which steals computer resources and leverages them for the attacker to monetise on,” Check Point VP of research Maya Horowitz said.

Most of the developed Nitrokod programs are easily built from official web pages using a Chromium-based framework. Check Point said this gives the attackers the ability to spread functional programs easily without having to develop them.

Researchers added that the most popular Nitrokod programme is the Google Translate desktop application. As Google has not released an official desktop version of its translation service, this could make the attackers’ version very appealing.

“Using the same attack flow, the attacker can easily choose to alter the final payload of the attack, changing it from a crypto miner to, say, ransomware or banking Trojan,” Horowitz noted.

Check Point said the Nitrokod authors separate the malicious activity from the initial download to avoid detection. The malware is first executed almost a month after the program is installed and is delivered in six stages.

The campaign has proven successful, with an estimated 111,000 victims since 2019, in countries including the UK, US, Germany and Turkey.

Check Point said users should be careful of lookalike domains, keep an eye out for spelling errors in websites and avoid unfamiliar email senders.

“What’s most interesting to me is the fact that the malicious software is so popular, yet went under the radar for so long,” Horowitz said. “We blocked the threat for Check Point customers, and are publishing this report so that others can be protected as well.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com