Researchers have uncovered a new currently active cryptocurrency mining campaign that mimics the Google Desktop Translate application and other types of ‘software’ to infect victims’ computers.
The cybersecurity company Check Point has indicated that this campaign has operated successfully for years and that it has 111,000 victims in 11 countries since 2019, as pointed out in a statement sent to Europa Press.
Cybercriminals appear to release free ‘software’ available on popular websites such as Softpedia Y uptodown. However, this can also be found easily through Google.
Specifically, when they type ‘Google Translate Desktop download’ in the search engine. After installing the software, the attackers delay the infection process for weeks to ensure that it removes traces of the original download.
From Check Point they emphasize that the success of this campaign, created by a Turkish-speaking entity called Nitrokod, is due to the fact that cybercriminals have implemented some key strategies.
Among them, the extension of the start of activity of the malicious ‘software’, which is executed for the first time almost a month after the installation of the counterfeit program. In addition, it is delivered after 6 previous stages of infected programs.
On the other hand, the infection chain continues after this delay using a scheduled task mechanism, so that the attackers can delete all their evidence in this time period.
Regarding the methodology, this campaign is characterized by the fact that the infection begins with the installation of a previously infected program or service and downloaded from a web page.
Then a real Google Translate copycat application is installed and an update file is dropped on the disk which starts a series of four ‘doppers’ until the real ‘malware’ is dropped.
Once executed, it connects to your command and control (C&C) server to get a configuration for the XMRig cryptocurrency miner and begins its activity.
To avoid this type of attack, the cybersecurity company recommends taking into account the domains of web pages and detecting possible spelling errors in them, as well as in the unknown email senders.
It is also advisable to only download ‘software’ from known and authorized publishers and vendors and prevent zero-day attacks with a comprehensive and up-to-date architecture.
Source: Europa Press
