Multi-stage crypto-mining malware hides in legitimate apps with month-long delay trigger

Researchers have discovered a new multi-stage malware distribution campaign that relies on legitimate application installers distributed via popular software download sites. The delivery of the malicious payload, which includes a cryptocurrency mining program, is done in stages with long delays of up to almost a month.

“After the initial installation of the software, the attackers delayed the infection process for weeks and deleted traces of the original installation,” researchers from security firm Check Point Software Technologies said in a statement. . new report. “It allowed the campaign to operate successfully under the radar for years.”

Trojan apps campaign started in 2019

According to the Check Point Research team, a Turkish-speaking software developer called Nitrokod is behind the campaign, which has been running since at least 2019. Nitrokod’s website claims that the developer has created free software applications, including video and music converters, video downloaders. and music players since 2017 with a combined install base of approximately 500,000 users.

Some of the Nitrokod trojan programs can be found on application download sites such as Softpedia and Uptodown. The application analyzed by Check Point is called Google Translate Desktop and is a desktop application that allows users to use the service of Google Translate, which is normally only available as a web service through a browser.

In fact, the Google Translate Desktop app itself is built using the Chromium Embedded Framework (CEF) open source project which allows app developers to implement the Chrome browser in their apps to display web content. This allowed the authors of Nitrokod to create functional applications without much effort.

In addition to Google Translate Desktop, the developer also distributes similar applications such as Yandex Translate Desktop, Microsoft Translator Desktop, YouTube Music Desktop and Mp3 Download Manager, Pc Auto Shutdown. Check Point has identified users of these Trojan apps in 11 countries.

Delayed deployment of malware to avoid detection

Once the user downloads and installs an application, the deployment of malicious payloads does not occur immediately, which is a strategy to avoid detection. First, the app installer, which is built with a free tool called Inno Setup, accesses the developer’s website and downloads a password-protected RAR archive that contains the app files. . These are deployed under Program Files (x86)Nitrokod[application name] path.

The application then checks for the presence of a component called update.exe. If not found, it deploys it under the Nitrokod folder and sets up a system scheduled task to run it after every reboot. The installer then collects information about the victim’s system and sends it to the developer’s server.

The installation so far is not very unusual for the behavior of a legitimate application: collecting certain system data for statistical purposes and deploying what looks like an automatic update component. However, after about four system reboots on four different days, update.exe downloads and deploys another component called chainlink1.07.exe. This mechanism of delaying deployment and requiring multiple restarts is likely an attempt to circumvent sandbox analysis systems, which do not test application behavior across multiple restarts.

The chainlink1.07.exe stager creates four different scheduled tasks that will run with different delays. One of them, which runs every three days, uses PowerShell to delete system logs. Another is set to run every 15 days and downloads another RAR archive from a different domain which uses the intentionally misleading name intelserviceupdate. A third scheduled task runs every two days and is configured to decompress the RAR archive if it exists, while the fourth task runs every day and is configured to run another component of the archive.

Even though they are configured to run with higher frequency, the third and fourth tasks do nothing until the 15-day delayed task that downloads the RAR archive runs, because otherwise there is no has no tarball to extract or executable to run.

“At this point, all associated files and evidence are deleted and the next stage of the infection chain will continue after 15 days through the Windows utility schtasks.exe,” the researchers said. “This way, the early stages of the campaign are separated from those that follow, making it very difficult to trace the source of the infection chain and block early infected apps.”

The new malicious component is an intermediate dropper that further prepares the system for the final stages. First, it checks running processes for virtual machine applications and known security products and, if necessary, it halts execution. If this check is successful, it adds a new firewall rule for the following components, along with exclusions for them in Windows Defender.

Finally, the dropper deploys another component called nniawsoykfo1.8.exe, which then deploys two other executable files called nniawsoykfo.exe and powermanager.exe. The latter is a copy of the open-source cryptocurrency mining program XMRig, while the former is a component that controls the miner and connects to a domain with nvidiacenter in its name where the common server and attacker control is hosted.

The program sends system information such as idle time, number of processor cores, whether desktop or laptop, installed anti-virus programs, version of Powermanager.exe deployed (XMRig) and more.

Strong app usage policies primary defense against trojan horse apps

While fake apps or Trojans aren’t a new attack vector, stealth campaigns like this that manage to go unnoticed for years show why it’s extremely important for organizations to have Strong app usage policies and enforce them for employees. Application whitelisting solutions can also be used on sensitive systems to limit which applications and locations can be downloaded and installed by employees.