New Google Translate Cryptomining Malware Discovered
A new cryptomining malware attack masquerading as a Google Translate download was discovered in late July by Check Point Research (CPR).
The malware, known as Nitrokod, is thought to have potentially infected thousands of machines around the world, and to have sat on several popular websites, including Softopedia and uptodown, without the knowledge of the site-owners themselves. It was also available directly through a Google search for “Google Translate Desktop download.”
Clicking on the software download installed the cryptominer onto the unsuspecting users’ machines. But there was never a hurry in the action of this particular malware – it was a multi-stage infection that only began cryptomining weeks after it was downloaded. In fact, those first few weeks included the deletion of any tell-tale traces of infection from the initial incursion, so that the cryptominer could sit under the surface of the machine, potentially undetected for years.
Baiting The Hook
It’s important to understand how Nitrokod lured in its victims. There is not, for instance, and never has been an official Google Translate desktop application. Nitrokod – a Turkish-speaking software developer, offers free, safe software downloads, largely of applications that don’t have official downloadable versions, including the Google Translate download.
That can be highly appealing bait for individuals and companies who find themselves in frequent need of the application. There’s either no reason not to suppose that Google hasn’t officially released a desktop version, or no reason not to suppose that a software developer might not have created their own front end that can act as a desktop host to the online service, and with plenty of banners declaring the clean status of the download, people click to download the useful application without much by way of a second thought.
And since 2019, people have been doing precisely that, accidentally downloading a cryptomining malware onto their machines.
The design of most of the Nitrokod programs are in fact fairly simple – they use official web pages for the apps they’re delivering ‘downloadable’ versions of, through a Chromium-based framework. So the downloaded program is minimum-effort, and at least in its basics, does deliver the functionality it promises.
And the delay, usually of at least a month, between downloading the program and the beginning of any malicious activity, helps separate any observed issues from the point of entry. In fact, there are usually six prior stages to the infection before the cryptomining malware gets to work, and one of those stages involves the removal of the evidence of initial infection.
The Chain of Infections
This delayed action infection is a signature of many modern malware infections, and a speciality of the Nitrokod campaigns. It’s effected by what’s known as an infection chain, one thing leading to another, each step distancing the danger from the point of initial infection.
When you download the desktop Google Translate application, what you get is an actual Google Translate desktop application. That allays any suspicion – no alarms go off, and very often, none of the programs you’ve installed specifically to find and root out infections notice anything is wrong.
What comes with the Google Translate application is a secondary dropper. Once the user launches the new software, an actual Google Translate application is installed. That begins a series of four droppers ahead of the actual malware.
The Initial Download
The GoogleTranslateDesktop.exe is a Windows installer built with Inno setup, a free tool for packaging and building setup files. The installer starts by downloading an encrypted RAR file. Specifically to protect it against random scans and downloads, the file is only downloaded from the attacker’s server if the user-agent is set to “InnoDownloadPlugin/1.5” (Inno setup deflate user agent).
Then GoogleTranslateDesktop2.50.exe is extracted from the RAR file using “asx” as the password.
The GoogleTranslateDesktop2.50.exe installer starts by installing the Google Translate application on the following path: “C:\Program Files (x86)\Nitrokod\Google Translate Desktop\GoogleTranslateDesktop.exe”
After installation, the installer checks if an update.exe file exists on the following path “C:\ProgramData\Nitrokod”. If the file does not exist or the file version is not 188.8.131.52, the third stage dropper update.exe is dropped. A schedule task is set to start the update at every system startup.
Finally, the installer sends a Post Install message to the Nitrokod domain with some information on the infected machine. All the details are sent as arguments on a HTTP GET request
The Delayed Drop
The stage 3 dropper (update.exe) is programmed to run at least five days after the installation time. It does so by maintaining two registry keys.
- “HKLU\Software\Update\D” – stores the last run time date.
- “HKLU\Software\Update\S” – acts as a counter.
Each time the updater is executed (on every system startup), it checks if the last execution data is equal to the current date. If not, the counter is incremented by one. Once the counter hits the value 4, the 4th stage dropper (chainlink1.07.exe) is extracted from another encrypted RAR file. In reality, this operation requires at least four restarts on four different days, which would often translate into at least several weeks of normal user’s usage. This mechanism is also a great way to avoid Sandbox detection, which does not run over several days and multiple restarts.
The Schedule Tasks
The fourth stage dropper is in charge of creating four different schedule tasks. After creating those schedule tasks, it clears all system logs using the PowerShell command Clear-EventLog. Then stage 3 and 4 of the installation process are self-deleted.
All related files and evidence quickly follow, being deleted into digital thin air. Then, the infection waits 15 days before reactivating by running the windows utility “schtasks.exe.” That’s a significant distancing between the point of initial incursion and the beginning of any hardcore malware activity, which makes it especially hard to trace.
After 15 days, an encrypted RAR file is downloaded from intelserviceupdate[.]com via the first schedule task. The next day, the file is decompressed via the second schedule task and the stage 5 file is extracted. One day later, the stage 5 file is executed by the third task.
Testing the Ground
The stage 5 file checks whether certain programs are installed on the infected machine. First, it checks against a list of known virtual machine processes and then against a list of mainly security products. If one of the programs are found, the program exits.
Then a firewall rule is added to allow incoming network connections for a program that will be dropped in the following stage, named “nniawsoykfo.exe.”
Once that is achieved, Windows Defender activity is excluded for the “nniawsoykfo.exe” file, and for a “powermanager.exe” file – which gets dropped shortly afterwards, its pathway smoothed to perfect ease.
Then the program drops the last dropper, “nniawsoykfo1.8.exe” from an encrypted RAR file, and executes it.
The Malware Drop
That last dropper delivers three files, the malware, the miner, and a sys file that helps them work.
The next day, the malware is executed by a schedule task, and the long-haul cryptomining can begin.
The point of all this delayed dropping and gentle increase in infection is to act less like a bank robber and more like a spy – to sit quietly mining resources for an indefinite period, rather than to grab a lot of, eg, data at one time, and set off every alarm in the place. It was only detected by Check Point using the Infinity XDR (Extended Detection and Response) platform. That platform has techniques to counteract an attack’s evasion strategies, and allow its activities to be observed and countermanded.
XDR and similar detection platforms have multiple behavioral detection elements built in, precisely so they can combat the new generation of stealthy threats that won’t be used for the likes of ransomware, but that can harvest data, or be used as secret crytominers, for an indefinite period.
30 November 2023