May 28, 2023

A Turkish-based cryptocurrency mining malware campaign has been detected called Nitrokod, that infected machines across 11 countries with an XMRig crypto miner.

The malware operators leverage popular software programs available for download on free software sites, such as Softpedia. To avoid detection, the threat actors separate any malicious activity from the downloaded fake software. The software also appears quite easily in Google search results when you search for “Google Translate Desktop download.”

The applications are advertised as “100 clean” via various banners while in truth they are trojanized. The downloads also contain a delayed mechanism that unleashed a long multi-stage infection ending with a crypto miner malware.

Once after the installation, the attackers delayed the infection process for weeks and deleted traces from the original installation. This allowed the campaign to successfully operate under the radar for years.

Advertisements

These are the steps the Nitrokod attacker followed to avoid detection:

  • Executing the malware almost a month after the Nitrokod program was installed.
  • Delivering the payload after 6 earlier stages of infected programs.
  • A continuous infection chain initiated after a long delay using a scheduled task mechanism, giving the attackers time to clear the evidence.

Nearly all detected Nitrokod campaigns share the same infection chain, starting with the installation of a freely downloaded, trojanized app and ending with the miner’s installation.

Once the user launches the new software, an actual Google Translate application is installed. In addition, an updated file is dropped which starts a series of four droppers until the actual malware is dropped. Once executed, the malware connects to its command-and-control server to receive a configuration for the XMRig crypto miner and start the mining process.

Advertisements

Remediation:

To clean an infected machine, follow these steps.

  1. Remove the following files on system32:
    • Any file starting with chainlink.
    • exe
    • exe
  2. Remove the updater.
    • Remove the folder C:\ProgramData\Nitrokod.
  3. Remove malicious schedule tasks.
    • InstallService\1
    • InstallService\2
    • InstallService\3
    • InstallService\4

Indicators of Compromise

  • Nitrokod[.]com
  • Intelserviceupdate[.]com
  • nvidiacenter[.]com
  • abe0fb9cd0a6c72b280d15f62e09c776
  • a3d1702ada15ef384d1c8b2994b0cf2e
  • 668f228c2b2ff54b4f960f7d23cb4737
  • 017781535bdbe116740b6e569657eedf
  • 0cabd67c69355be4b17b0b8a57a9a53c
  • 27d32f245aaae58c1caa52b349bed6fb

Leave a Reply

%d bloggers like this: