A cryptocurrency mining campaign emulating Google Translate Desktop and other free software has been infecting PCs since 2019, new data published by Check Point Research (CPR) suggests.
The malware, created by a Turkish-speaking entity called Nitrokod, reportedly claimed an estimated 111,000 victims in 11 countries.
According to the CPR report, the attackers also delayed the infection process for weeks to evade detection.
“The campaign drops malware from free software available on popular websites such as Softpedia and uptodown,” explained CPR in the research paper.
Further, the malicious software can also be reportedly found via regular user searches on Google with keywords such as ‘Google Translate Desktop download.’
“Once the user launches the new software, an actual Google Translate imitation application is installed,” CPR said. “In addition, an update file is dropped to disk, which starts a series of four droppers until the actual malware is dropped.”
After the malware is downloaded and executed, it then connects to its command and control (C&C) server to get a configuration for the XMRig cryptominer and starts the mining activity.
“Currently, the threat we identified was unknowingly installing a cryptocurrency miner, which steals computer resources and leverages them for the attacker to monetize on,” said Maya Horowitz, VP of research at Check Point Software.
Using the same attack flow, the attacker can also alter the final payload of the attack, changing it from a cryptominer to a ransomware or banking Trojan.
“What’s most interesting to me is the fact that the malicious software is so popular yet went under the radar for so long,” Horowitz added. “We blocked the threat for Check Point customers and are publishing this report so that others can be protected as well.”
The full text of the technical write-up can be found at this link here. The publication comes weeks after CPR released a list of the most used malware in the wild in July.