Crypto Mining Malware impersonates Microsoft Translator and infects over 100,000 users

An active cryptocurrency mining malware campaign has already infected more than 111,000 users in Germany, Israel, Poland, the United States and other countries, according to a report released by US-Israeli cybersecurity vendor Check Point Software Technologies.

Bad actors lay traps for victims on websites like Softpedia that offer free software. They trick them into downloading the desktop version of services like YouTube Music and Microsoft Translator. The problem? These services don’t actually have official desktop versions.

The campaign, which has been under the radar for years, is believed to be linked to a Turkish software developer dubbed Nitrokod, which claims to offer free software.

It managed to remain undetected for such a long time due to its sophisticated multi-step infection process. By delaying the execution of malware for weeks after installation and removing all traces, it makes it extremely difficult to link the malware to a particular ill-fated installation.

After execution, the malware starts a stealth Monero (XMR) crypto-mining operation by connecting to its command and control server and obtaining the XMRig CPU mining tool. In order to ensure that the malware stays active, a scheduled task is set to run the scam every day.

Check Point claims that even unsophisticated users are able to access the set of necessary tools which can be installed with just a few clicks.

Monero remains the undisputed stratagem currency for cryptojackers due to its anonymity features. A 2019 study showed that illicit crypto mining was responsible for up to 4% of the total circulating supply of XMR.