A Turkish-based malware campaign, called Nitrokod, has infected thousands of machines with cryptomining malware. And oddly enough, Nitrokod spreads this malware through unofficial desktop versions of popular web apps, such as Google Translate.
Note: To be clear, Google doesn’t offer an official Translate app for PC. If you’re using an unofficial Google Translate app, I suggest uninstalling it and relying on the Google Translate website instead. You can pin the Transalte website to your desktop and pretend its an app, if you want.
The malware scheme was detected by Check Point XDR and publicized by Check Point Research. Essentially, Nitrokod distributes free software versions of Google Translate, Microsoft Translate, and various MP3 downloaders. These applications contain a timebomb—they slowly install encrypted RAR archives that contain the building blocks for a cryptominer.
By the time this cryptominer is installed on your PC, all evidence of wrongdoing is erased. Plus, the malware’s file location is whitelisted by Windows Defender. This process can take months, but in the end, hackers will utilize your system resources to mine cryptocurrency.
Nitrokod’s software is available on platforms like Softpedia and uptodown. And if you search for “Google Translate desktop app,” Nitrokod occupies the first few results. Check Point Research believes that NitroKod began spreading malware way back in 2019.
To create its software, NitroKod hackers simply take a Chromium app framework and force it to display an embedded version of a webpage. These hackers aren’t building apps from the ground up, although they may have developed (or adapted) the script that automatically installs malware.
We suggest that you avoid third-party versions of popular web services. And if you see an app that’s described as “100% clean,” or any other suspicious nonsense, run away! Those affected by Nitrokod should uninstall any associated software and block known cryptomining pools from your network.
Source: Check Point Research