Aug 30 — Cyber criminals are deploying cryptocurrency-mining malware disguised as legitimate-looking application, such as Google Translate, on free software download sites and via Google searches.

The cryptomining Trojan, called Nitrokod, is usually disguised as a clean Windows app and works as the user expects for days or weeks ahead of executing hidden Moner-crafting code.

Experts say that the Turkish-speaking group behind Nitrokod – which has been active since 2019 and was detected by Check Point Research analysts towards the end of July- may have already infected thousands of systems across 11 countries. Interestingly, the apps provide a desktop version to services generally only found online.

“The malware is dropped from applications that are popular, but don’t have an actual desktop version, such as Google Translate, keeping the malware versions in-demand and exclusive,” says Check Point malware analyst Moshe Marelus.

“The malware drops almost a month after the infection, and following other stages to drop files, making it very hard to analyze back to the initial stage.”

In addition to Google Translate, other software leveraged by Nitrokod includes other translation applications. In some instances, the malicious applications will be advertised as clean, despite the fact that they are actually loaded with mining malware.

For more on this story, please visit Check Point Research. Lastly, to receive more timely cyber security news, top-tier reports and cutting-edge analyses, please sign up for the cybertalk.org newsletter.