Check Point researchers discovered a Turkish based crypto miner malware campaign, dubbed Nitrokod, which infected machines across 11 countries
The threat actors dropped the malware from popular software available on dozens of free software websites, including Softpedia and uptodown. Experts noticed that the software can also be easily found through Google by searching “Google Translate Desktop download”.
The campaign operated under the radar for years because the operators adopted several tricks, such as implementing a delayed mechanism to unleash a long multi-stage infection.
The malicious code is first executed almost a month after the Nitrokod software was installed on the victim’s system, the infection chain analyzed by the researcher is composed of 6 stages.
The attackers used a scheduled tacks mechanism to implement delays between each stage of the infection chain.
The infection chain starts with the installation of a tainted program downloaded from the Internet. Upon executing the software, an actual Google Translate application is installed and an updated file is dropped which starts a series of four droppers until the actual malware is dropped.
