Cryptocurrency mining malware hides in fake versions of popular software distributed via free download sites. To remain undetected, it hides for a month before running in a campaign that has infected Windows PCs worldwide.
Codenamed Nitrokod, the malware campaign has been active since at least 2019 and was detailed by Check Point cybersecurity researchers.
Cryptojackers are a form of malware that covertly exploit the computing power of infected devices to mine cryptocurrencies.
An often invisible process
The process often goes unnoticed and the attack victim does not receive the cryptocurrencies, which are sent to the malware operator, who is likely using a large network of infected devices to generate as much cryptocurrency as possible , without having to use its own computing power or electricity.
Nitrokod is distributed via freeware download sites which researchers say can be found easily using search engines. Downloaded software pretends to be desktop versions of popular web applications, even if they don’t actually have desktop versions.
“Malware is dropped from apps that are popular but don’t have an actual desktop version, like Google Translate, which keeps versions of the malware in demand and exclusive,” Check Point said.
But anyone who downloads these Trojan apps finds themselves unwittingly infected with cryptocurrency mining malware – but not for a month after the first download, due to a multi-step process that delays the infection process to ensure that the attack is not discovered.
Many stages
The infection process begins when the application is downloaded via a web installer, which in turn downloads and runs an .exe installer used to maintain persistence on the infected machine, as well as to send information about it back to the attacker.
Five days later, the next step in the process provides an installer that watches for the machine to restart and, after the fourth instance, extracts another installer from an encrypted RAR file. This multi-step approach allows the malware to avoid detection in a sandbox set up by security researchers.
At this point, evidence from the previous steps is removed from the log files to prevent the installation from being tracked, and a scheduled task is set to trigger after 15 days.
At this point, another encrypted RAR file is downloaded, which delivers another dropper, which in turn delivers another dropper from an encrypted file and runs it – installing the cryptocurrency miner on the infected PC, a month after the initial software download.
An open door to other threats
According to Check Point, the campaign remained hidden for years and victims around the world inadvertently infected their machines with malware.
“What strikes me most is that this malware is so popular, but it’s been hidden for so long,” said Maya Horowitz, vice president of research at Check Point Software.
Anyone who has downloaded these apps is advised to uninstall them and remove malicious files. To avoid falling victim to this type of download and other trojanized software, users are recommended to download only legitimate software from trusted websites.
Although cryptojackers are among the least damaging forms of malware, falling victim to them should be considered a risk, especially since the methods used to install them can be exploited to install other, more damaging forms of malware. , including ransomware and password-stealing trojans.
“Currently, the threat we have identified is unknowingly installing a cryptocurrency miner, which steals computer resources and exploits them for the attacker to profit from. Using the same attack flow, the attacker can easily choose to change the final attack payload from a cryptocurrency miner to, say, a ransomware or banking trojan,” said Maya Horowitz.
Source: ZDNet.com