Turkish malware used to infect machines in 11 countries via fake Google Translate links

Turkish-speaking hackers are spreading crypto-mining malware via freeware download sites, including one offering a fake Google Translate desktop app, according to new research.

Cybersecurity firm Check Point said Monday that it discovered the campaign in late July and called it Nitrokod. The researchers said it may have infected thousands of devices with malware in 11 countries.

Maya Horowitz, vice president of research at Check Point, said her team found a popular website offering knockoffs of PC apps, including Google Desktop, which includes a cryptocurrency miner. The malware hijacks a device’s processor and forces it to verify currency transactions such as Bitcoin.

“Malicious tools can be used by anyone. They can be found by a simple web search, they can be downloaded from a link, and installation is a simple double-click. We know that the tools are built by a Turkish-speaking developer,” said Horowitz. “Currently, the threat we identified was to unknowingly install a cryptocurrency miner, which steals computing resources and leverages them for monetization by the attacker.”

A search result that leads to a download of the malware.

As Horowitz explained, one of the links that leads to the download of the malware is easily found through Google when users search for “Google Translate Desktop download.”

The programs have a delayed mechanism that deploys the malware after several days or weeks and also removes any traces of the original installation, which “allowed the campaign to operate successfully under the radar for years,” the report says.

“The malware is first executed nearly a month after the Nitrokod program was installed,” the researchers wrote. “The infection chain continued after a long delay using a scheduled task mechanism, giving the attackers time to remove the evidence.”

Once the malware is finally downloaded, it connects to a command and control server and starts mining cryptocurrencies.

Horowitz added that the perpetrator can easily choose to alter the final payload of the attack, changing it from a cryptominer to, say, a ransomware or banking Trojan.

According to Check Point, software developer Nitrokod has been active since 2019, offering popular apps that don’t have official desktop versions. Many of Nitrokod’s programs can be found on free software sites like Softpedia and Uptodown.

One of Nitrokod’s most popular programs is the Google Translate desktop app. Google has never released a desktop app for Google Translate, which makes the corrupted version of Nitrokod one of the first links to appear.

A screenshot of the malicious program. Image: Checkpoint

Check Point found that most of the platform’s programs are easily created with a Chromium-based tool that allows you to create an application directly from a web page, such as Google Translate, saving Nitrokod authors the time to create functional programs. .

Some of the programs have been downloaded more than 100,000 times.

“The most interesting thing for me is the fact that malware is so popular and yet it went unnoticed for so long,” he said. “We blocked the threat to Check Point customers and are publishing this report so others can be protected as well.”

Jonathan has worked around the world as a journalist since 2014. Before returning to New York City, he worked for media outlets in South Africa, Jordan, and Cambodia. He previously covered cyber security at ZDNet and TechRepublic.

Leave a Comment