Crypto miner impersonates “Google Translate Desktop” to infect victims

Check Point Research (CPR) has discovered an active cryptocurrency mining campaign impersonating “Google Translate Desktop” and other free software to infect PCs. The campaign was created by a Turkish-speaking company called Nitrokod and has had over 111,000 downloads in 11 countries in 2019.

The attackers delay the infection process for several weeks to avoid detection. CPR warns that the attackers can easily modify the malware, for example converting it from a cryptominer to ransomware or banking Trojans.

The campaign uses free software available on popular websites such as Softpedia and uptodown to infect victims with malware. These are imitations of popular applications that do not have real desktop versions, such as Google Translate. In addition, the malware can also be easily found via Google when users search for “google translate desktop download”. After the initial installation of the software, the attackers delay the infection process for weeks and delete traces of the original installation. The victims so far come from the UK, USA, Sri Lanka, Greece, Israel, Germany, Turkey, Cyprus, Australia, Mongolia and Poland.

Image 1: Top results when searching for a Google Translate desktop version

The crypto miner remained undetected for years

The campaign has successfully operated under the radar for years. To avoid detection, the Nitrokod authors waited almost a month after installing the Nitrokod program before executing the malware. In addition, the malware is delivered only after six previous work steps in the infected programs. The infection chain continues with a long delay through a scheduled task mechanism, giving the attackers time to remove all evidence.

chain of infection

The infection chain is the same for most Nitrokod campaigns, starting with the installation of an infected program downloaded from the Internet. When the user launches the new software, a real Google Translate application will be installed. Additionally, an updated file is dropped, which launches a series of four droppers until the actual malware is dropped. After the malware executes, it connects to the victim’s C&C server to get a configuration for XMRig cryptominer and starts mining.

Figure 2: Map of the Google Translate malware infection chain
Figure 2: Map of the chain of infection

Maya Horowitz, VP of Research at Check Point Software, on the discovery:

“We discovered a popular website impersonating malicious versions of PC applications such as Google Translate and others, including a cryptocurrency miner. The malicious tools can be used by anyone. They can be found with a simple web search and downloaded via a link. The installation occurs with a single double-click. We know that the tools are developed by a Turkish-speaking developer. Currently, the threat we have identified is the unwitting installation of a cryptocurrency miner that steals computer resources and monetizes them for the attacker. Using it same attack flow, the attacker can easily change the final payload of the attack, turning it from a crypto-miner to, for example, ransomware or a banking trojan.

What interests me the most is the fact that the malware is so popular and yet stayed under the radar for so long. We have blocked the threat against Check Point’s customers and published a report so that others can be protected as well.”

More info:

You can read the entire report here.

Leave a Comment