The installation of malware that is being spread via free software sites has been found to be activated following a month-long delay, ultimately helping it avoid exposure.
As reported by Bleeping Computer, the malware campaign is being camouflaged as Google Translate or MP3 downloader programs. In reality, however, it operates as cryptocurrency mining malware for Windows-based systems.
Discovered in 11 countries thus far, the bogus programs are hiding in plain sight within free software sites. A Check Point report details how a developer, who goes by the name of Nitrokod, is behind the malware.
Although they seem to be legitimate, Check Point confirmed how the applications would delay the installation of the malware for almost a month. From here, the infection chain “continued after a long delay using a scheduled task mechanism,” which allowed threat actors enough time to get rid of any evidence.
After a victim launches any of the infected software, a legitimate Google Translate application is installed on the system. The app is then able to clear all the system logs via PowerShell commands, in addition to the implementation of a firewall rule and excluding itself from being detected by Windows Defender.
Once several weeks pass, the malware is loaded, after which it connects to a C&C server in order to receive a configuration for the XMRig crypto miner. This allows the app’s malicious files to begin mining activity on the target’s PC.
Free software sites are an extremely popular search term for Google, with Nitrokod’s fake apps ranking high in search results. One of those websites, Softpedia, delivered over 112,000 downloads for the developer’s Google Translate app.
As pointed out by Bleeping Computer, crypto mining malware can put a system under a lot of stress due to the impact it has on hardware, as well as naturally leading to overheating. The overall performance of a machine can also become negatively affected if it utilizes extra CPU resources.
In regard to the malicious malware that is activated, this can be switched to potentially more dangerous code if the threat actor decides to do so.
It should be stressed that you should always check you’re downloading programs from official sources and be on the lookout for any suspicious developers, even if their version has been downloaded by hundreds of thousands.