Experts uncover covert crypto-mining campaign affecting 11 countries

The covert crypto-mining campaign from Nitrokod is believed to have infected thousands of computers across 11 countries with malware. The experts at Check Point Research (CPR) said.

Attackers injected crypto-mining utilities into free applications built on popular services such as Google Translate or YouTube Music.

The operation is linked to Turkish software developer Nitrokod, active since 2019. The company offers allegedly free programs for which there are no official desktop versions.

Most such apps are easily created using a Chromium-based framework drawn from official web pages, without the need for bespoke development, experts noted.

The popularity of the base source ensures high search rankings. The firm’s software is distributed via well-known free software platforms such as Softpedia or Uptodown, CPR researchers noted.

The attackers managed to stay undetected for a long time due to a complex and multi-stage infection process. The hidden module that installs the mining utility activated several weeks after the program was installed on the computer.

The infection process was broken into six time-staggered stages, masked as updates. At all stages, the installer erased traces in logs, hindering detection.

After launching the XMRig tool for Monero covert mining, the malware daily activated it via scheduled tasks in case security software prevented it.

Experts say that the use of CPR’s XDR solution enabled the detection of the large-scale covert mining campaign. The tool was able to identify each action by the malware, timestamp it, and correlate it with a single attack.

Earlier in December 2021, the attackers distributed hidden miners Monero via a torrent file containing a pirated copy of the film ‘Spider-Man: No Way Home’.

Follow ForkLog’s Bitcoin news in our Telegram — cryptocurrency news, rates and analytics.