According to new Check Point Research (CPR) report, a cybercriminal campaign, dubbed Nitrokod, is masking crypto-mining software as the desktop version of Google Translate (as well as other legitimate-sounding apps) to secretly make money from unsuspecting victims.
That Google app may not be what you thought it was
When users search for “Google Translate Desktop download,” the malicious link to the malware-infected software appears at the top of Google Search results (I’ve checked it myself and it’s still there). After victims unknowingly download the malicious, phony Google Translate app, something interesting happens: the infection process doesn’t occur right away. Instead, the cybercriminals delay it, insidiously defiling users’ PCs after a period of weeks. They also delete traces of the original installation. “Once the user launches the new software, an actual Google Translate application is installed,” the CPR report said. In other words, to make matters worse, the malicious developer of the Google Translate desktop app created a realistic-looking program using a Chromium-based framework that converts the Google Translate web page into a functional platform. “In addition, an updated file is dropped, which starts a series of four droppers until the actual malware is dropped,” the CPR report added. Once the malware finally “kicks in,” it connects to a Command and Control server that launches unauthorized crypto-mining activity, allowing cybercriminals to surreptitiously make money from unsuspecting Google Translate desktop app users. The cybercriminals are likely not collecting anything demanding nor energy-intensive like Bitcoin or Ethereum, but they could be mining Dogecoin or earning free Shiba Inu. If they’re leeching from enough victims, they could be making significant profit. Check Point Research suspects that Nitrokod infected thousands of machines worldwide across 11 countries. Keep in mind that the faux desktop Google Translate app isn’t the only bait the crypto-focused cybercriminals use to lure victims into their lair. They also offer “YouTube Music Desktop,” “Microsoft Translator Desktop,” and other questionable apps. It’s easy to fall victim to this attack, especially considering its high visibility on Google Search. CPR reminds users to only download software from authorized, known publishers and vendors. If you suspect that your PC was hijacked by Nitrokod, you’ll find a remediation section at the conclusion of the CPR report that explains how to clean an infected machine.
