A Turkish-based threat group, who goes behind the name ‘Nitrokod,’ had been seen conducting a cryptomining campaign that offered malicious desktop versions of various popular software. In this report, about 11 countries have been targeted, which has infected thousands of systems worldwide.
Nitrokod’s cryptomining campaign was first detected in 2019. The threat operators have created fake desktop versions of widely used apps and software that, if downloaded and run by victims, would infect their systems with malware.
The 11 countries targeted by this campaign include the UK, the US, Greece, Sri Lanka, Australia, Germany, Polan, Israel, Turkey, Cyprus, and Mongolia. In these affected countries, more than 111,000 victims have been infected.
Users looking for free software versions online are the prime targets of Nitrokod’s cryptomining campaign.
These malicious software copies are often hosted on sites like Softpedia and Uptodown. Composed of four stages, the executable inside the malicious software executes the process as each malware dropper triggers the other. The malware, XMRig, is launched after the initial processes are finished.
In usual instances, the threat operators offer fake software brands that do not have a desktop version to entice targets into downloading. These tools include Microsoft Translate and YouTube Music, among others. Researchers note that it takes the malware about a month until it is dropped and infects the compromised computer.
Security experts are challenged to detect the attack due to the longer period of malicious processes and immediate deletion of tasks in this campaign. The payload also connects to the threat operators’ command-and-control (C2) server to request a configuration file that aids them in commencing the cryptomining activity using XMRig.
Furthermore, the long infection chains in this cryptomining campaign helped the threat actors evade security detection. The ample time the campaign provides to the operators had been enough to modify the final payload as either a cryptominer or ransomware.
Similar cyberattack operations such as this one involved threat groups leveraging users’ need for free software online where they do not need to pay any amount and would also offer desktop versions when it is not officially available.
Thus, to avoid being victimised, it is highly advised to avoid downloading free software online, especially from unknown third-party sources, since they likely carry malware that can severely infect computers.