Malware that is being distributed through free software sites has been discovered to be triggered after a month-long wait, which allows it to evade detection.
Bleeping Computer states that the malicious software is disguised as either Google Translate or MP3 downloaders. In fact, however, it acts as cryptocurrency mining malware for Windows-based PCs.
The malicious malware, which has been found in 11 nations so far, is distributed freely online. A study by Check Point identifies the developer behind the malware as one going by the name of Nitrokod.
Check Point validated how the programs, which appear to be legal, would postpone the installation of the malware by nearly a month. The infection “continued after a considerable delay via a scheduled job mechanism,” which gave the threat actors time to destroy any traces of the infection.
One legal Google Translate app is installed on the victim’s computer when they run one of the infected programs. After that, it uses PowerShell instructions to delete all system logs, set up a firewall rule, and prevent Windows Defender from detecting it.
After the virus has been loaded for a while, it connects to a C&C server to retrieve the XMRig crypto miner’s configuration after waiting a few weeks. This opens the door for the app’s malicious files to start mining on the victim’s computer.
Google receives a huge volume of queries for “free software sites,” and Nitrokod’s phony programs appear prominently in the search engine’s results. Softpedia, one of these sites, had over 112,000 downloads of the developer’s Google Translate program.
Bleeping Computer notes that crypto mining malware can cause significant strain on a system due to its effect on hardware and the resulting increase in temperature. A machine’s overall performance may suffer if it uses too many central processing units (CPU).
In reference to the harmful virus that is activated, this can be switched to possibly more dangerous code if the threat actor decides to do so.
It’s important to remember that even if a program’s version has been downloaded hundreds of thousands of times, you should still only get it from reputable sources and watch out for sketchy programmers.