September 26, 2023

A Turkish-based cryptocurrency mining malware campaign has been detected called Nitrokod, that infected machines across 11 countries with an XMRig crypto miner.

The malware operators leverage popular software programs available for download on free software sites, such as Softpedia. To avoid detection, the threat actors separate any malicious activity from the downloaded fake software. The software also appears quite easily in Google search results when you search for “Google Translate Desktop download.”

The applications are advertised as “100 clean” via various banners while in truth they are trojanized. The downloads also contain a delayed mechanism that unleashed a long multi-stage infection ending with a crypto miner malware.

Once after the installation, the attackers delayed the infection process for weeks and deleted traces from the original installation. This allowed the campaign to successfully operate under the radar for years.

Advertisements

These are the steps the Nitrokod attacker followed to avoid detection:

  • Executing the malware almost a month after the Nitrokod program was installed.
  • Delivering the payload after 6 earlier stages of infected programs.
  • A continuous infection chain initiated after a long delay using a scheduled task mechanism, giving the attackers time to clear the evidence.

Nearly all detected Nitrokod campaigns share the same infection chain, starting with the installation of a freely downloaded, trojanized app and ending with the miner’s installation.

Once the user launches the new software, an actual Google Translate application is installed. In addition, an updated file is dropped which starts a series of four droppers until the actual malware is dropped. Once executed, the malware connects to its command-and-control server to receive a configuration for the XMRig crypto miner and start the mining process.

Advertisements

Remediation:

To clean an infected machine, follow these steps.

  1. Remove the following files on system32:
    • Any file starting with chainlink.
    • exe
    • exe
  2. Remove the updater.
    • Remove the folder C:\ProgramData\Nitrokod.
  3. Remove malicious schedule tasks.
    • InstallService\1
    • InstallService\2
    • InstallService\3
    • InstallService\4

Indicators of Compromise

  • Nitrokod[.]com
  • Intelserviceupdate[.]com
  • nvidiacenter[.]com
  • abe0fb9cd0a6c72b280d15f62e09c776
  • a3d1702ada15ef384d1c8b2994b0cf2e
  • 668f228c2b2ff54b4f960f7d23cb4737
  • 017781535bdbe116740b6e569657eedf
  • 0cabd67c69355be4b17b0b8a57a9a53c
  • 27d32f245aaae58c1caa52b349bed6fb
Tags:

Leave a Reply

You may have missed

Sony attack – Ransomed.vc claims responsibility

September 26, 2023

Chrome Zeroday – CVE-2023-4863 PoC Exploit Released

September 25, 2023

BlackCat adds Clarion to its Victim list

September 24, 2023

TheCyberThrone Security Week In Review – September 23, 2023

September 24, 2023

MGM Resorts and Ceasars Attacks – Lesson Learnt

September 23, 2023

CISA KEV Update September 2023 – Part II

September 23, 2023
%d bloggers like this: