A cryptomining campaign has potentially infected thousands of machines worldwide by hiding in a Google Translate download for desktops.
According to researchers at Check Point, the threat actor behind it is a Turkish-speaking software developer called Nitrokod, which offers free versions of popular software applications that don't have an official desktop version — like Google Translate.
In fact, its version of the translation utility, created using the official Google Translate webpages and a Chromium-based framework, is its most popular offering, researchers said in a blog post this week. It's distributed in a watering-hole approach, available via websites like Softpedia and uptodown, and turning up at the top of search results for “Google Translate desktop download."
Unfortunately, the downloads are Trojanized, which victims might not realize for a very long time (or ever) given that the app actually works as advertised.
"This campaign highlights the diverse methods of propagation employed by cryptojacking groups," says Matt Muir, security researcher at Cado Security. "Although masquerading as legitimate applications is as old as malware itself … sadly, it remains far too easy to trick an end user into installing what they believe to be a popular application."
Built for Stealth
The campaign, which is ongoing and spreading globally, sports several features that are designed to help it remain undetected, Check Point researchers found.
For instance, after the software is installed, the infection process goes dormant for weeks. Tom Kellermann, senior vice president of cyber-strategy at Contrast Security, tells Dark Reading that this is a prime example of a growing trend.
"Notably, after initial injection they are waiting weeks to remain undetected," he says. "Placing malware on a sleep cycle is becoming mainstream, and 'chronos' attacks are growing where adversaries use time for the purposes of evasion."
After the sleep interval, the infection process is initiated and the victim receives an updated file that, over the course of a few days, loads a chained series of four droppers onto the machine. Finally, the last dropper fetches the Monero-focused XMRig cryptominer and executes it.
The download then connects out to a command-and-control (C2) server for configuration data and begins mining, while the attackers delete any evidence of the infection process. Meanwhile, Google Translate will continue to work properly, separately — offering no red flags for analysis.
"This allowed the campaign to successfully operate under the radar for years," according to Check Point's analysis. "This way, the first stages of the campaign are separated from the ones that follow, making it very hard to trace the source of the infection chain and block the initial infected applications."
Active since 2019, Nitrokod claims to offer free and safe software, which in reality are all threats, researchers noted. The behaviors are similar to the Google Translate campaign in all other infected programs, they said. Thus, while this campaign was spotted in July, it's likely that there will be additional activity from the cybercrime group going forward.
How to Protect Against Cryptomining
Assaf Morag, lead data analyst on the Aqua Nautilus research team, notes that the campaign illustrates how cryptojacking crooks are proliferating their attack methods and continuing to go after virtual coins as a quick financial win.
In addition to Trojanized applications, "some cryptominers are hidden in websites, and when an unsuspecting victim browses the site, the cryptomining script on the website is running in the browser, often without users' knowledge or consent," he says. "Another type of cryptojacking that we've seen recently is often more complex. It involves a large botnet infrastructure that scans for vulnerabilities and misconfigurations, exploits them, and disseminates the cryptojacking malware and often other malware aimed to expand the attack and make it persistent."
As a result, businesses should shore up their basic defenses such as patching and Web filtering, and implement policies against downloading anything but approved software onto endpoints, network sensors, servers, and firewalls. And even then, users should only download software from official repositories — like Google Play, in this case; if there's no official desktop app, users should make do with the Web-based version.
Michael Clark, director of threat research at Sysdig, also says the campaign puts remote workers on notice.
"The software it pretends to be something that could be used by anyone," he says. "It shows that your endpoints and even users at home could be affected by cryptomining. Endpoints may not be as powerful as servers, but for a cryptominer, every bit of processing power they can steal adds to their profits."
And what if it's too late? If infected, "users will see a performance issue with their systems and potentially need a fresh install of their operating system to rid the system of the malware effectively," says James McQuiggan, security awareness advocate at KnowBe4.