The intelligence of malicious actors leveraged to abuse users is limitless. And this can take the form of misusing the computing capacity of a desktop computer to mine cryptocurrencies. In most cases, this is obviously an anonymous version, such as Monero (XMR). But this practice can go under the radar for many years, as the cybersecurity firm Check Point Research (CPR) has just demonstrated. All this is done by downloading popular applications such as Google Translate.
This is called cryptojacking or cryptomining, but the result is the same in both cases. That is to say, the hijacking of part of the computing capacity of a private computer in order to mine cryptocurrencies in complete discretion. An activity that can be identified by a significant slowdown of its workstation. But some versions know how to make themselves even more invisible, for example by delaying their implementation for a few weeks after the Trojan has been downloaded. And these can take the form of popular applications, even though they are advertised as safe and verified.
Nitrokod – Over 100,000 PCs infected in 11 countries
This revelation comes from the cybersecurity company Check Point Research (CPR). And it specifically implicates a Turkish-speaking software provider, active since 2019. The latter boasts, of course, to offer “free and secure software”. While in fact, it would be malicious versions of popular applications such as the famous Google Translate, an MP3 Download Manager or a version presented as desktop of Youtube Music. The latter are enhanced with a Trojan horse designed to mine the cryptocurrency Monero (XMR).
The cryptomining software installed in this way is called Nitrokod. And, according to data from Check Point Research (CPR), it is currently infecting more than 112,000 computers in 11 different countries. Because the concerned applications are present on stores like Softpedia and Uptodown. With sometimes surreal ratings, as in the case of the desktop version of Google Translate which displays an improbable 9.3. Even though this version was not developed by Google.
The countries most affected are Israel, Germany, the United Kingdom, the United States, Sri Lanka, Cyprus, Australia, Greece, Turkey, Mongolia and Poland. And the specificity of this Nitrokod version is its ability to wait several days before triggering the Monero mining process. This does not arouse the suspicions of victims, whose computers have sometimes been infected for months or even years.