Windows malware delays coinminer install by a month to evade detection

by | Aug 30, 2022 | News

Premium Content

Patreon

Subscribe to Patreon to watch this episode.

Reading Time: 3 Minutes

A new malware campaign disguised as Google Translate or MP3 downloader programs was found distributing cryptocurrency mining malware across 11 countries.

 

The fake applications are being distributed through legitimate free software sites, providing broad exposure to the malicious applications to both regular visitors of the sites and search engines.

According to a report by Check Point, the malware is created by a developer named ‘Nitrokod,’ which at first look appears to be clean of malware and provides the advertised functionality.

However, Check Point says the software purposely delays the installation of the malicious malware components for up to a month to evade detection.

 

The Nitrokod website
The Nitrokod website homepage

 

Unfortunately, Nitrokod’s offerings rank high in Google Search results, so the website acts as an excellent trap for users seeking a specific utility.

BleepingComputer has contacted Nitrokod’s administrator at the listed contact address, but we have not yet received a comment from them.

Additionally, as Check Point discovered, Nitrokod’s Google Translate applet was also uploaded on Softpedia, where it reached over 112,000 downloads.

 

malware app on softpedia
The malware app on Softpedia (Check Point)

 

See Also: So you want to be a hacker?
Complete Offensive Security and Ethical Hacking Course

Infection chain

 

Independently of which program is downloaded from the Nitrokod website, the user receives a password-protected RAR that evades AV detection and contains an executable named after the selected app.

Upon running the file, the software is installed on the user’s system along with two registry keys.

Profiling the host and sending details to C2
Profiling the host and sending details to C2 (Check Point)

 

To avoid raising suspicions and to thwart sandbox analysis, the software activates a dropper from another encrypted RAR file fetched via Wget on the fifth day of the infection.

Next, the software clears all system logs using PowerShell commands and, after another 15 days, fetches the next encrypted RAR from “intelserviceupdate[.]com.”

 

Timeline of infection stages
Timeline of infection stages (Check Point)

 

The next-stage dropper checks for the presence of antivirus software, searches for processes that might belong to virtual machines, and eventually adds a firewall rule and an exclusion to Windows Defender.

 

Firewall rule to excempt malware communications from scrutiny
Firewall rule to exempt malware communications from scrutiny (Check Point)

 

Now that the device has been prepped for the final payload, the program loads the last dropper, which fetches another RAR file containing the XMRig mining malware, its controller, and a “.sys” file that has its settings.

The malware determines if it’s running on a desktop or laptop, then connects to its C2 (“nvidiacenter[.]com”) and sends a full host system report via HTTP POST requests.

Finally, the C2 responds with instructions such as whether to activate, how much CPU power to use, when to ping C2 again, or what programs to check for and exit if found.

 

The complete attack chain diagram
The complete attack chain diagram (Check Point)

How to stay safe

 

Crypto-mining malware can be a risk as it can damage hardware by causing hardware stress and overheating, and can impact the performance of your computer by using additional CPU resources.

Additionally, the malware droppers discovered by Check Point can swap the final payload with something much more dangerous at any time.

To protect yourself, avoid downloading apps that promise functionality not officially released by the original developer, such as a desktop version of the Google translate tool.

 

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!


Information Security Solutions

Find out how Pentesting Services can help you.


Join our Community

Share This