Malware Disguised as Google Translate App Delays Crypto Mining Software Download to Avoid Detection - Cyber and Fraud Centre

Researchers at Check Point Research have uncovered malware disguised as multiple legitimate apps, including Google Translate and YouTube Music for Desktop. If downloaded, the malware waits for a month to deploy its malicious crypto mining software. The applications are a replica of the legitimate apps and deliver the same service; users downloading the fake apps are unaware of the malicious code running in the background.

Created by a Turkish software company called Nitrokod, the apps have not only been made available on the original creator’s sites but have also been posted on other popular software sites where they claim to have over one hundred thousand downloads.

*Products listed on Nitrokod[.]com hiding malicious crypto mining code.Source:* *https://research.checkpoint.com/2022/check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications/*

*The malicious programs have had over 100,000 downloads and high ratings on popular software-sharing sites. Source:* *https://research.checkpoint.com/2022/check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications/*

The malware also has multiple other ways of avoiding detection. Researchers reported that there are six stages the program goes through before finally downloading the crypto mining part of the software. Additionally, the code has multiple delayed scheduled tasks that give the malware’s threat actors time to clear evidence.

To maintain persistence, the program runs scheduled tasks every time the host device is started up, allowing it to run the crypto mining software and consistently check that the malicious side of the program still exists, re-downloading it if not. Notably, the malware can avoid detection by waiting for four different system start-ups on four different days, meaning it could take weeks for the malicious code to deploy.

The full technical report on this malware can be found here.

Preventions:

The following steps can help you remove this malware:

Remove the following files from the system32 folder. This can be done by going to C:\Windows\System32 if you are on a Windows device
- Any file starting with chainlink.
  - nniawsoykfo.exe
  - powermanager.exe
Remove the updater.
- Remove the folder C:\ProgramData\Nitrokod.
Remove malicious schedule tasks. This can be done by going to the Task Scheduler
- InstallService\1
- InstallService\2
- InstallService\3
- InstallService\4

Malware can pose a significant risk to individual devices, business networks, and services. Some types of malware are designed to look for other devices connected to the network of the host device to infect. This may not only be laptops and PCs but also servers and internet-of-things devices. An infected device brought into a work environment can pose a significant security risk and could allow malicious users into your network.

To protect your organisation against malware:

Ensure that any new software must be approved by a system administrator before being downloaded.
Keep your antivirus turned on and updated on all work devices
Regularly check that all your devices and software are on the latest updates
Limit the use of USB drives in your organisation. This can be done by blocking access to physical USB ports to most users and only allowing approved drives to be used with your organisation’s devices (and nowhere else).

06.09.22

Threat Intelligence Alerts