Users searching for Google applications have been infected by an insidious malware campaign that mines the privacy-focused cryptocurrency monero (XMR).
Nitrokod probably isn’t familiar to you. A cyber intelligence firm based in Israel discovered the malware last month.
Having found remarkable success at the top of Google search results for “Google Translate desktop download,” the firm said Nitrokod initially disguises itself as a free software.
Since 2017, when crypto’s popularity rose, mining malware has been used to infiltrate unsuspecting users’ machines.
In November 2012, CPR detected the well-known cryptojacking malware CoinHive, which also mined XMR.
An end-user’s CPU resources were stolen by CoinHive without their knowledge.
During its peak, the malware generated $250,000 a month, most of it going to a handful of people.
According to CPR, Nitrokod was deployed by a Turkish-speaking entity in 2019. Through seven stages, it avoids detection by antivirus programs and system defenses.
Malware is easily dropped in top Google search results. Fake apps come from two main sources. To learn how Google filters these threats, we’ve reached out to them.
After downloading the application, an installer executes a delayed dropper and continuously updates itself on every restart. On the fifth day, the delayed dropper extracts an encrypted file.
Nitrokod then schedules tasks, clears logs, and adds exceptions to antivirus firewalls once 15 days have passed.
Powermanager.exe is then surreptitiously dropped onto the infected machine and starts mining Monero using XMRig (the same one used by CoinHive).
According to the report, the attackers delayed the infection process for weeks after the initial software installation.
At the end of CPR’s threat report, you can find clean machines infected with Nitrokod.