This deceptive malware hides on your computer for a month before you go to work

woman using laptop

Photo: Getty/iStockphoto

Crypto mining malware is hidden in fake versions of popular software distributed via free download sites and avoids detection by waiting a month before running in a campaign that has infected Windows PCs around the world.

It is called Nitrokod, and Malware The campaign has been active since at least 2019 and is detailed by Cybersecurity researchers at Check Point.

Crypto miners – also known as cryptojackers – are a form of malware that secretly exploits the computing power of infected devices to mine in order to Cryptocurrency.

The process is often undetected and the victim of the attack does not receive the cryptocurrency, which is sent to the malware operator, which is likely to use a large network of infected devices to generate as much cryptocurrency as possible, without the cost of using them. own computing power or electricity.

We see: Successful cyber security strategy (ZDNET Special Report)

Nitrokod is distributed via free software download sites that researchers say can be easily found using search engines. Software downloads claim to be the desktop versions of popular web applications even though they don’t actually have the desktop versions.

“Malware is dropped from popular apps, but does not have a physical desktop version like Google Translate, which makes the malware versions both desirable and exclusive,” Check Point said.

But anyone who downloads these Trojan apps will find themselves infected with crypto-mining malware – but not for a month after the first download, due to a multi-stage process that delays the infection process to help ensure the attack isn’t detected.

The infection process begins when the application is downloaded via the web installer, which in turn downloads and runs the .exe installer. Which is used to maintain the continuity of the infected device, as well as to send information about it back to the attacker.

Five days after that, the next stage of the process presents a dropper that monitors when the machine restarts and, after the fourth instance, extracts another installer from an encrypted RAR file. Taking this multi-stage approach helps malware avoid detection in the sandbox set by security researchers.

We see: These are the biggest cyber security threats. Make sure you don’t ignore them

At this point, directories of the previous stages are removed from the log files to avoid installation tracking and a scheduled task is set up to run after 15 days.

At this point, another encrypted RAR file is downloaded which provides another dropper, which in turn provides another dropper from the encrypted file and executes it – install the crypto miner on the infected computer, a month after the initial program download.

According to Check Point, the campaign has been under the radar for years, and victims around the world have inadvertently infected their devices with malware.

“The most interesting thing to me is the fact that malware is very common, but it has been under the radar for a long time,” said Maya Horowitz, Vice President of Research at Check Point Software.

Anyone who has downloaded apps is urged to uninstall them and remove malicious files. To avoid becoming a victim of this and other Trojan downloads, it is recommended that users download only legitimate programs from trusted websites.

While cryptojackers are arguably among the least harmful forms of malware, being a victim can still be considered a risk – especially since the same methods used to install them can be exploited to install other, more harmful forms of malware, including ransomware And the Password stealing Trojans.

“Currently, the threat we identified was the inadvertent installation of a cryptocurrency miner, which steals and leverages computer resources for an attacker to monetize,” Horowitz said.

“Using the same attack flow, an attacker can easily choose to change the final attack payload, changing it from a cryptocurrency miner, for example, ransomware or a banking Trojan,” she added.

More about cyber security

Leave a Comment