May 28, 2023

A Turkish-based cryptocurrency mining malware campaign has been detected called Nitrokod, that infected machines across 11 countries with an XMRig crypto miner.

The malware operators leverage popular software programs available for download on free software sites, such as Softpedia. To avoid detection, the threat actors separate any malicious activity from the downloaded fake software. The software also appears quite easily in Google search results when you search for “Google Translate Desktop download.”

The applications are advertised as “100 clean” via various banners while in truth they are trojanized. The downloads also contain a delayed mechanism that unleashed a long multi-stage infection ending with a crypto miner malware.

Once after the installation, the attackers delayed the infection process for weeks and deleted traces from the original installation. This allowed the campaign to successfully operate under the radar for years.

Advertisements

These are the steps the Nitrokod attacker followed to avoid detection:

  • Executing the malware almost a month after the Nitrokod program was installed.
  • Delivering the payload after 6 earlier stages of infected programs.
  • A continuous infection chain initiated after a long delay using a scheduled task mechanism, giving the attackers time to clear the evidence.

Nearly all detected Nitrokod campaigns share the same infection chain, starting with the installation of a freely downloaded, trojanized app and ending with the miner’s installation.

Once the user launches the new software, an actual Google Translate application is installed. In addition, an updated file is dropped which starts a series of four droppers until the actual malware is dropped. Once executed, the malware connects to its command-and-control server to receive a configuration for the XMRig crypto miner and start the mining process.

Advertisements

Remediation:

To clean an infected machine, follow these steps.

  1. Remove the following files on system32:
    • Any file starting with chainlink.
    • exe
    • exe
  2. Remove the updater.
    • Remove the folder C:\ProgramData\Nitrokod.
  3. Remove malicious schedule tasks.
    • InstallService\1
    • InstallService\2
    • InstallService\3
    • InstallService\4

Indicators of Compromise

  • Nitrokod[.]com
  • Intelserviceupdate[.]com
  • nvidiacenter[.]com
  • abe0fb9cd0a6c72b280d15f62e09c776
  • a3d1702ada15ef384d1c8b2994b0cf2e
  • 668f228c2b2ff54b4f960f7d23cb4737
  • 017781535bdbe116740b6e569657eedf
  • 0cabd67c69355be4b17b0b8a57a9a53c
  • 27d32f245aaae58c1caa52b349bed6fb
Tags:

Leave a Reply

You may have missed

CrowdStrike strategy dominates MDR Market

CrowdStrike strategy dominates MDR Market

May 28, 2023
TheCyberThrone Security Week In Review–May 27, 2023

TheCyberThrone Security Week In Review–May 27, 2023

May 28, 2023
Zyxel Patches Critical Buffer Overflow Vulnerability

Zyxel Patches Critical Buffer Overflow Vulnerability

May 27, 2023
Apria Data Breach affects 2 million customers

Apria Data Breach affects 2 million customers

May 27, 2023
CosmicEnergy Malware Shutting Electric grid

CosmicEnergy Malware Shutting Electric grid

May 27, 2023
Operation Magalenha from Brazil

Operation Magalenha from Brazil

May 27, 2023
%d bloggers like this: