Crypto mining malware impersonates Google translate desktop, other legitimate apps

Israeli-based cyber threat intelligence firm, Check Point Research (CPR) unmasked a malicious crypto mining malware campaign dubbed Nitrokod as the perpetrator behind the infection of thousands of machines across 11 countries in a report published on Sunday.

Crypto miner malware, also known as cryptojackers, is a type of malware that exploits the computing power of infected PCs to mine cryptocurrency.

Nitrokod has been impersonating Google Translate Desktop and other free software on websites to launch crypto miner malware and infect PCs.  When unsuspecting users search for “Google Translate Desktop download”, the malicious link to the malware-infected software appears at the top of Google Search results.

Since 2019, the malware has been operating with a multi-stage infection process, starting off by delaying contaminating the infection process until a few weeks after the users download the malicious link. They also remove traces of the original installation, keeping the malware-free from detection by anti-virus programs.

“Once the user launches the new software, an actual Google Translate application is installed,” the CPR report read. This is where victims encounter realistic-looking programs with a Chromium-based framework that directs the user from the Google Translate webpage and tricks them into downloading the fake application.

In the next stage, the malware schedules tasks to clear logs to remove related files and evidence and the next stage of the infection chain will continue after 15 days multi-stage approach helps the malware avoid being detected in a sandbox set up by security researchers.

“In addition, an updated file is dropped, which starts a series of four droppers until the actual malware is dropped,” the CPR report added.

In other words, the malware starts a Monero (XMR) crypto-mining operation whereby the malware “powermanager.exe” is stealthily dropped into the infected machines by connecting to its Command and Control server that enables cybercriminals to monetize users of  Google Translate’s desktop app.

Monero is the best-known cryptocurrency for cryptojackers and other illicit transactions. The cryptocurrency offers near anonymity for its holders.

It is easy to fall victim to crypto miner malware since they are dropped from software found on the top of Google search results for legitimized applications. If you suspect your PC is infected, details on how to recover your infected machine can be found at the end of the CPR report.