At the end of July 2022, Check Point Research (CPR) detected a previously undisclosed cryptomining campaign, called Nitrokod, which potentially infected thousands of machines worldwide.
At the campaign’s core there are several useful utilities. Created by a Turkish speaking entity, the campaign dropped malware from free software available on popular websites such as Softpedia and uptodown. The software can also be easily found through Google when users search “Google Translate Desktop download”. While the applications boast a “100 CLEAN” banners on some site, the applications are in fact trojans, and contain a delayed mechanism to unleash a long multi-stage infection that ends with a cryptomining malware. After the initial software installation, the attackers delayed the infection process for weeks and deleted traces from the original installation. This allowed the campaign to successfully operate under the radar for years.
To avoid detection, the Nitrokod authors separate malicious activity from the initially downloaded Nitrokod program:
- The malware is first executed almost a month after the Nitrokod program was installed.
- The malware is delivered after 6 earlier stages of infected programs.
- The infection chain continued after a long delay using a scheduled task mechanism, giving the attackers time to clear the evidence.