In a recently discovered major cybersecurity flaw, hackers have been using a fake Google Translate app since 2019 to infect thousands of Windows PCs with malware to illegally mine crypto without user permission.
This cryptojacking malware was created by a Turkish company called Nitrokod. The malware mines cryptocurrency using the hosts graphics processing unit (GPU), without users’ permission. It has been reported to have infected thousands of Windows computers worldwide, according to a report by cybersecurity research firm, Check Point Research. This process uses a significant amount of energy to illegally mine crypto without user permission.
“Malware is removed from apps that are popular, but don’t have an actual desktop version, like Google Translate, keeping malware versions in-demand and exclusive,” Check
Point malware analyst Moshe Marelus wrote in a report on Monday.
How are users affected?
Once the user installs the malware infected application on the computer, the application installs
Google translate, and using the chrome code, translates the web page from the current Google Translate program. This allows hackers to give functionality to their malware infected programs. A scheduled update check is sent each time the system is started.
Then the hackers wait patiently for a month for the mining software to install, so that the user does not detect any unusual activity in the power consumption.
First, a post-installation message containing information about the infected machine is sent to the Nitrokod domain. Then a scheduled update checker is installed, which checks with the Nitrokod domain every time the system starts.
After the user restarts the system four times, the chainlink1.07.exe fourth stage dropper is extracted from another encrypted RAR file. In this way, the hacker avoids the Sandbox detection performed by the antivirus software.
Next, the Stage 4 dropper is responsible for creating four tasks. The first is to install Dropper 5, which checks the system for certain security firewalls. If it detects that the firewalls are activated, it notifies the hackers’ servers.
Then all incoming files are dropped into a temporary folder, while Windows Defender activity is excluded from the temporary folder. Then, the mining malware is dropped into the temporary folder, which mines crypto without users’ permission. This program is named powermanager.exe.
The victims mainly belong to the United Kingdom, the United States, Sri Lanka, Greece, Israel, Germany, Turkey, Cyprus, Australia, Mongolia and Poland.
The Trojan horse campaign involves spreading malware using free programs available on well-known websites such as Softpedia and Uptodown, according to the report.
“Using an interesting strategy, the malware delays execution for weeks while keeping its dangerous behavior distinct from the fake downloaded software. With the help of download websites like Softpedia, Nitrokod was effective in spreading its infected code,” the report states.
Incidentally, the Nitrokod Google Translator program has been downloaded over 112,000 times, since December 2019, according to Softpedia.
In addition to Google Translate, Nitrokod also uses MP3 download apps and other translation software, such as Microsoft Translator Desktop. On some websites, malware will exclaim that it is 100% clean, when in reality it contains mining malware.