Description
The Turkish based crypto miner malware campaign called Nitrokod was seen infecting machines in eleven countries across the world using popular software available on dozens of free software websites.
Summary
Nitrokod, a Turkish software developer group, claims to offer free software that are deemed safe and clean to use. These applications can be found on popular websites such as Softpedia, Uptodown, and the Nitrokod website. Most of these programs offered are software of popular web applications such as Google Translate, YouTube Music, Mp3 Download Manager, Pc Auto Shutdown and Microsoft Translator, to name a few. These are programs that do not have an official desktop version, so the applications are built by converting the official web applications using a Chromium based framework. The applications are then coupled with a Trojan that contains a delayed mechanism to avoid detection and unleashes a long multi-stage infection that ends with the crypto mining malware installed.
How it works
To avoid detection, malicious activities are separated from the initial downloaded program, where the malware is executed almost a month after it was downloaded and installed. The infection chain contains several stages and uses a delayed mechanism to give time to remove any evidence of malicious activity.
The initial stage starts when one of the Nitrokod programs is downloaded and installed. The installer installs the program as per normal and drops an update.exe file that is scheduled to count at every system startup. The installer also sends a Post Install message to the Nitrokod domain with information of the infected machine.
The update.exe is programmed to run after five system startups. Afterwards, another dropper chainlink1.07.exe is initiated and is scheduled to create four different tasks. The first task involves dropping an encrypted rar file via Wget; the second task involves extracting another dropper from the rar file; the third task is where the new dropper is executed, and the final task involves clearing the system logs.
The new dropper is tasked with checking if certain programs are installed on the infected machine. It checks against a list of known virtual machines and security software. If one of the programs is found, the dropper exits. A firewall rule is then added to allow incoming network connections to the Nitrokod C&C server and a exclusion for Windows Defender is added for the following files, nniawsoykfo.exe and powermanager.exe.
Finally, nniawsoykfo.exe is dropped and executed and this drops the XMRig crypto miner and a malware to control the miner. The malware communicates with the C&C server nvidiacenter.com and receives instructions for controlling the malware and XMRig miner.
Indicators of Compromise
The following hashes and strings correspond to files linked to Nitrokod:
Domains:
Nitrokod.com
Intelserviceupdate.com
Nvidiacenter.com
MD5 Hashes:
abe0fb9cd0a6c72b280d15f62e09c776
a3d1702ada15ef384d1c8b2994b0cf2e
668f228c2b2ff54b4f960f7d23cb4737
017781535bdbe116740b6e569657eedf
0cabd67c69355be4b17b0b8a57a9a53c
27d32f245aaae58c1caa52b349bed6fb/p>
Remediation
For immediate actions to resolve infection:
Remove any files starting with chainlink, nniawsoykfo and powermanager from system32.
Remove the updater located in the folder C:ProgramDataNitrokod.
Remove the malicious tasks: InstallService1, InstallService2, InstallService3 and InstallService4.
To circumvent this type of malware, users are advised to follow the steps below:
It is recommended to research software and download only from official/verified software websites.
Have a reputable and dependable anti-virus solution installed and always keep virus-signatures updated.
Be cautious when browsing online since fraudulent and malicious content usually appears legitimate and harmless.
The Guyana National CIRT recommends that users and administrators review this alert and make changes where necessary.
PDF Download: Nitrokod Cryptominer affects users worldwide.pdf
References
Marelus, M. (2022, August 29). Check Point Research detects Crypto Miner malware disguised as Google translate desktop and other legitimate applications. Retrieved from Checkpoint Research.
https://research.checkpoint.com/2022/check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications/
Lakshmanan, R. (2022, August 29). Nitrokod Crypto Miner Infected Over 111,000 Users with Copies of Popular Software.Retrieved from The Hacker News.
https://thehackernews.com/2022/08/nitrokod-crypto-miner-infected-over.html