Hackers using fake Google Translate app to infect PCs with crypto mining malware: Full details

A crypto-mining malware that is active since 2019 is targeting users via fake desktop versions of Google apps like Google Translate, YouTube Music and Microsoft Translate. A new report from Check Point Research finds that a crypto mining malware secretly gets downloaded when users download one of these fake Google apps. 

The malware is dropped from free software available on popular websites such as Softpedia and uptodown. The user also comes across this software when searching for “Google Translate Desktop download” on Google.

The report claims that the malware has been created by a Turkish-speaking developer named Nitrokod that claims to offer free and safe software. Disguised as fake Google apps, the malware contains a delayed dropper that delays the activation of the malware for weeks, thus, preventing it from being tracked easily. It infects the system with a crypto mining malware giving remote access to scammers and later harming their system.

“While the applications boast a “100 CLEAN” banners on some site, the applications are in fact Trojanized, and contain a delayed mechanism to unleash a long multi-stage infection that ends with a cryptomining malware. 

After the initial software installation, the attackers



delayed the infection process for weeks and deleted traces from the original installation. This allowed the campaign to successfully operate under the radar for years” reads the Check Point Research blog post.

Nitrokod’s operational method involves dropping malware through popular applications that don’t have an actual desktop version. This keeps its offering in demand and exclusive. The Nitrokod infection chain follows seven stages to activate the malware and it begins from installing the fake app. In the next stage, GoogleTranslateDesktop2.50.exe is installed on the following path: “C:\Program Files (x86)\Nitrokod\Google Translate Desktop\GoogleTranslateDesktop.exe”. The stage 3 delayed dropper (update.exe) is programmed to run at least five days after the installation time. In the fourth stage, malware drops an encrypted file and extracts dropper 5 from RAR file. It also clears the logs of previous actions. Next, the dropper 5 after tampering the system’s firewall rule and at stage six it drops the miner dropper which sets a scheduled task to start the malware every day. In the final step, it detects if the system is a laptop or PC. Upon detecting a PC, the bot connects to the C&C server and sends data in JSON format over HTTP post requests. This data is then further decoded and encoded by a remote user.