Security News > 2022 > August > Nitrokod Crypto Miner Infected Over 111,000 Users with Copies of Popular Software

The campaign entails serving malware through free software hosted on popular sites such as Softpedia and Uptodown.

In an interesting tactic, the malware puts off its execution for weeks and separates its malicious activity from the downloaded fake software to avoid detection.

The installation of the infected program is followed by deployment of an update executable to the disk that, in turn, kick-starts a four-stage attack sequence, with each dropper paving for the next, until the actual malware is dropped in the seventh stage.

Upon execution of the malware, a connection to a remote command-and-control server is established to retrieve a configuration file to initiate the coin mining activity.

A notable aspect of the Nitrokod campaign is that the fake software offered for free are for services that do not have an official desktop version, such as Yandex Translate, Microsoft Translate, YouTube Music, MP3 Download Manager, and Pc Auto Shutdown.

"The attacker can easily choose to alter the final payload of the attack, changing it from a crypto miner to, say, ransomware or banking trojan."

News URL

https://thehackernews.com/2022/08/nitrokod-crypto-miner-infected-over.html