A report by Check Point Research (CPR) - the research team of American-Israeli cybersecurity provider Check Point Software Technologies - found that a mining malware, Monero, has been infecting computers across 11 countries since 2019. The malware has come to be known as 'Nitrokod'.
According to the study team, this ransomware frequently pretended to be desktop versions of well-known programmes like Google Translate, YouTube Music, and Microsoft Translator. Numerous free software download portals, such as Softpedia and Uptodown, offer these spoof versions.
The research states that the Turkish-based organisation running the malware operation for mining digital assets is banking on the unavailability of an official desktop version to draw users to the fake Google Translate desktop app, on which the team's results are based. “Most of the programmes Nitrokod offers are popular software that do not have an official desktop version. For example, the most popular Nitrokod programme is the Google Translate desktop application. Google has not released an official desktop version, making the attackers’ version very appealing,” the report read.
The study discovered that the malware campaign's mode of operation has prevented it from being found thus far. After the first software download, the malware waits to start the covert mining operation for digital assets for a number of weeks. It accomplishes this by employing a method for scheduled tasks that launches the malware installation over a period of days and steps while wiping up any evidence of the installation. What makes the process easier is that the hackers don't need to create other software from scratch – they are created from the web-based versions of the official apps themselves.
The malware has also been leading to increased instances of cybercrime. In Israel, Germany, the United Kingdom, the United States, Sri Lanka, Cyprus, Australia, Greece, Turkey, Mongolia, and Poland, Check Point estimates that at least 100,000 people have unintentionally been using their CPUs to mine Monero (XMR).
According to a CNBC article, more and more cybercriminals are switching from other digital currencies like Bitcoin to Monero. They are drawn in by the privacy token's ability to essentially conceal all transactional information.
However, this is not the first time malware has been discovered infecting computers and secretly mining the privacy token. In a January incident, the cybersecurity firm ReasonLabs, based in New York, discovered that one such spyware was disguising itself as a leaked copy of the popular Marvel film Spiderman: Far from Home.