It has been found that installing malware that spreads via free software sites activates after a one-month delay, ultimately helping you avoid exposure.
As reported by Bleeping Computer, the malware campaign is camouflaging itself as Google Translate or MP3 downloaders. In reality, however, it operates as cryptocurrency mining malware for Windows-based systems.
Discovered in 11 countries so far, the rogue programs hide in plain sight inside free software sites. A check point report details how a developer, calling himself Nitrokod, is behind the malware.
Although they appear to be legitimate, Check Point confirmed how the apps would delay the installation of the malware for almost a month. From here, the infection chain “continued after a long delay using a scheduled task mechanism,” allowing threat actors enough time to get rid of any evidence.
After a victim launches any of the infected programs, a legitimate Google Translate application is installed on the system. The app can clear all system logs via PowerShell commands, as well as implement a firewall rule and exclude itself from detection by Windows Defender.
Once several weeks pass, the malware uploads itself, after which it connects to a C&C server to receive a setup for the XMRig crypto miner. This allows the malicious application files to start mining activity on the target PC.
Free software sites are an extremely popular search term for Google, with fake Nitrokod apps ranking high in search results. One such website, Softpedia, delivered more than 112,000 downloads for the developer’s Google Translate app.
As Bleeping Computer pointed out, cryptomining malware can put a system under a lot of stress due to the impact it has on the hardware, as well as naturally lead to overheating. The overall performance of a machine can also be negatively affected if it uses additional CPU resources.
Regarding the malicious malware that is activated, this can be changed to potentially more dangerous code if the threat actor decides to do so.
It is worth noting that you should always verify that you are downloading programs from official sources and be on the lookout for any suspicious developers, even if their version has been downloaded in the hundreds of thousands.