Nitrokod - Google Translate app is actually Windows Crypto-Mining Malware

[upnorth]

Content source

https://www.theregister.com/2022/08/30/nitrokod_crypto_malware_google/

Spoiler

Watch out: someone is spreading cryptocurrency-mining malware disguised as legitimate-looking applications, such as Google Translate, on free software download sites and through Google searches.

The cryptomining Trojan, known as Nitrokod, is typically disguised as a clean Windows app and works as the user expects for days or weeks before its hidden Monero-crafting code is executed. It's said that the Turkish-speaking group behind Nitrokod – which has been active since 2019 and was detected by Check Point Research threat hunters at the end of July – may already have infected thousands of systems in 11 countries. What's interesting is that the apps provide a desktop version to services generally only found online. "The malware is dropped from applications that are popular, but don't have an actual desktop version, such as Google Translate, keeping the malware versions in demand and exclusive," Check Point malware analyst Moshe Marelus wrote in a report Monday.

"The malware drops almost a month after the infection, and following other stages to drop files, making it very hard to analyze back to the initial stage."

Along with Google Translate, other software leveraged by Nitrokod include other translation applications – including Microsoft Translator Desktop – and MP3 downloader programs. On some sites, the malicious applications will boast about being "100% clean," though they are actually loaded with mining malware. Nitrokod has been successful using download sites such as Softpedia to spread its naughty code. According to Softpedia, the Nitrokod Google Translator app has been downloaded more than 112,000 times since December 2019.

That Google Translate app is actually a Windows crypto-miner

Ah, nothing like a classic Trojan horse

www.theregister.com