Nitrokod Crypto Miner Infected Over 111,000 Users with Copies of Popular Software

A Turkish-speaking entity called Nitrokod has been attributed to an active cryptocurrency mining campaign that involves impersonating a desktop application for shoppingmode Google Translate to infect over 111,000 victims in 11 countries since 2019.

“The malicious tools can be used by anyone,” Maya Horowitz, vice president of research at Check Point, said in a statement shared with The Hacker News. “They can be found by a simple web search, downloaded from a link, and installation is a simple double-click.”

The list of countries with victims includes the U.K., the U.S., Sri Lanka, Greece, Israel, Germany, Turkey, Cyprus, Australia, Mongolia, and Poland.

The campaign entails serving malware through free software hosted on popular sites such as Softpedia and Uptodown. But in an interesting tactic, the malware puts off its execution for weeks and separates its malicious activity from the downloaded fake software to avoid detection.

The installation of the infected program is followed by the deployment of an update executable to the disk that, in turn, kick-starts a four-stage attack sequence, with each dropper paving way for the next, until the actual malware is dropped in the seventh stage.

Upon execution of the malware, a connection to a remote command-and-control (C2) server is established to retrieve a configuration file to initiate the coin mining activity.

A notable aspect of the Nitrokod campaign is that the fake software offered for free are for services that do not have an official desktop version, such as Yandex Translate, shoppingmode Microsoft Translate, YouTube Music, MP3 Download Manager, and Pc Auto Shutdown.

Furthermore, the malware is dropped almost a month after the initial infection, by when the forensic trail is deleted, making it challenging to break down the attack and trace it back to the installer.

“What’s most interesting to me is the fact that the malicious software is so popular, yet went under the radar for so long,” Horowitz said. “The attacker can easily choose to alter the final payload of the attack, changing it from a crypto miner to, say, ransomware or banking trojan.”

https://thehackernews.com/2022/08/nitrokod-crypto-miner-infected-over.html?m=1

Leave a Comment Cancel Reply

London, GB

11:43 pm, Apr 1, 2025

8°C

L: 7° | H: 9°

Feels like 4°C° clear sky

Humidity: 80 %

Pressure: 1024 mb

Wind: 12 mph ENE

Wind Gust: 0 mph

UV Index: 0

Precipitation: 0 mm

Clouds: 1%

Rain Chance: 0%

Visibility: 10 km

Sunrise: 6:35 am

Sunset: 7:32 pm

DailyHourly

Daily ForecastHourly Forecast

Tomorrow 10:00 pm

7° | 9°°C 0 mm 0% 16 mph 80 % 1024 mb 0 mm/h

Thu Apr 03 10:00 pm

9° | 16°°C 0 mm 0% 11 mph 84 % 1021 mb 0 mm/h

Fri Apr 04 10:00 pm

10° | 18°°C 0 mm 0% 13 mph 84 % 1022 mb 0 mm/h

Sat Apr 05 10:00 pm

7° | 17°°C 0 mm 0% 12 mph 73 % 1022 mb 0 mm/h

Sun Apr 06 10:00 pm

7° | 13°°C 0 mm 0% 11 mph 78 % 1025 mb 0 mm/h

Tomorrow 1:00 am

8° | 8°°C 0 mm 0% 10 mph 80 % 1024 mb 0 mm/h

Tomorrow 4:00 am

7° | 7°°C 0 mm 0% 9 mph 78 % 1024 mb 0 mm/h

Tomorrow 7:00 am

8° | 8°°C 0 mm 0% 11 mph 75 % 1024 mb 0 mm/h

Tomorrow 10:00 am

12° | 12°°C 0 mm 0% 14 mph 59 % 1023 mb 0 mm/h

Tomorrow 1:00 pm

14° | 14°°C 0 mm 0% 15 mph 49 % 1022 mb 0 mm/h

Tomorrow 4:00 pm

13° | 13°°C 0 mm 0% 16 mph 54 % 1021 mb 0 mm/h

Tomorrow 7:00 pm

12° | 12°°C 0 mm 0% 12 mph 61 % 1021 mb 0 mm/h

Tomorrow 10:00 pm

11° | 11°°C 0 mm 0% 11 mph 68 % 1021 mb 0 mm/h

Name	Price	24H (%)
Bitcoin(BTC)	€78,952.80	3.56%
Ethereum(ETH)	€1,776.17	5.28%
Tether(USDT)	€0.93	0.01%
XRP(XRP)	€1.99	3.43%
Solana(SOL)	€117.50	1.37%
USDC(USDC)	€0.93	0.00%
Dogecoin(DOGE)	€0.161344	5.80%
Shiba Inu(SHIB)	€0.000012	3.17%
Pepe(PEPE)	€0.000007	8.75%

Nitrokod Crypto Miner Infected Over 111,000 Users with Copies of Popular Software

Share:

Leave a Comment Cancel Reply

Utility link

Useful link

Newsletter

Follow Us