The crypto-miner Nitrokod escapes detection by security researchers for years. However, according to Check Point, the infection route can also be used for more dangerous malware such as ransomware.
Currently, a crypto-mining malware is being spread via free downloads of fake versions of popular programs. Called Nitrokod, the malware attempts to evade detection by remaining inactive on infected Windows machines for a month before running for the first time.
“The malware is dropped from applications that are popular but do not have a true desktop version, such as Google Translate, which keeps the malware versions in demand and exclusive,” Check Point, which investigated the current campaign, disclosed.
According to the researchers, the infection process begins with the download of the application via a web installer. It launches an executable file that permanently sets up the malware on the system. After five days, the next step activates a dropper that monitors the system and finally extracts another installer on an encrypted RAR file.
Nitrokod apparently active for years
After that, all traces of previous activity are deleted from log files and a task is set up to run in 15 days. This task involves downloading another encrypted RAR file, which again contains a dropper that injects and executes an additional dropper and finally installs the actual crypto miner.
Check Point believes that this campaign has been active for several years and has remained undetected until now. “What intrigues me most is the fact that the malicious software is so widespread and yet has gone unnoticed for so long,” said Maya Horowitz, vice president of research at Check Point Software.
Since crypto-miners are really just stealing resources to mine cryptocurrencies for their backers, they are classified as a relatively harmless form of malware. However, Check Point does not rule out the possibility that the infection route can also be used to infiltrate much larger threats. “Using the same course of attack, the attacker can easily change the final payload of the attack by transforming it from a crypto miner into, for example, ransomware or a banking Trojan,” Horowitz added.