Turkish company has been using Yandex and Google to distribute malware for 3 years
Check Point researchers have attributed Turkic -speaking organization Nitrokod to an active cryptocurrency mining campaign that includes the use of fake desktop dropper apps to infect more than 111,000 victims in 11 countries since 2019.
Maya Horowitz, vice president of research at Check Point , said that malicious tools can be used by anyone. They can be found by searching the Internet, downloaded from a link, and installed with a double click.
The campaign has affected victims in the following countries: UK, USA, Sri Lanka, Greece, Israel, Germany, Turkey, Cyprus, Australia, Mongolia and Poland.
Malware is distributed through freeware hosted on popular websites such as Softpedia and Uptodown. Notably, the malware delays its execution for weeks and separates its malicious activity from downloaded fake software to avoid detection.
Once the infected program is installed, the update executable is deployed to disk, which launches a 4-stage attack sequence in which each dropper prepares the next one until the malware is removed in the seventh stage.
Once the malware is launched, a connection is established to a remote command and control (C&C) server to obtain a configuration file to initiate cryptojacking.
The distinguishing feature of the Nitrokod campaign is that the fake software targets services that don’t have an official desktop version:
Yandex translator; Google translate; Microsoft Translate; YouTube Music; MP3 Download Manager; PC Auto Shutdown.
In addition, the malware is removed almost a month after the initial infection, when the forensic trail is removed. This