Multi-stage crypto-mining malware hides in legitimate apps with month-long delay trigger

Researchers have discovered a new multi-stage malware delivery campaign that relies on legitimate application installers distributed through popular software download sites. The malicious payload delivery, which includes a cryptocurrency mining program, is done in stages with long delays that can add up to almost a month.

“After the initial software installation, the attackers delayed the infection process for weeks and deleted traces from the original installation,” researchers from security firm Check Point Software Technologies said in a new report. “This allowed the campaign to successfully operate under the radar for years.”

Trojanized app campaign began in 2019

According to the Check Point Research team, a Turkish-speaking software developer called Nitrokod is behind the campaign, which has been running since at least 2019. Nitrokod’s website claims that the developer has been creating free software applications including video and music converters, video downloaders and music players since 2017 with a combined install base of around 500,000 users.

Some of Nitrokod’s Trojanized programs can be found on app download sites such as Softpedia and Uptodown. The app Check Point analyzed is called Google Translate Desktop and is a desktop application that allows people to use Google Translate’s service, which is normally only available as a web service through a browser.

In fact, the Google Translate Desktop app itself is built using the open-source Chromium Embedded Framework (CEF) project that allows app developers to implement the Chrome browser in their apps to display web content. This allowed the Nitrokod authors to create functioning apps without too much effort.

In addition to Google Translate Desktop, the developer also distributes similarly built apps like Yandex Translate Desktop, Microsoft Translator Desktop, YouTube Music Desktop and Mp3 Download Manager, Pc Auto Shutdown. Check Point has identified users of these Trojanized applications in 11 countries.

Delayed malware deployment to avoid detection

Once the user downloads and installs an app, the deployment of malicious payloads doesn’t happen immediately, which is a strategy to avoid detection. First, the app installer, which is built with a free tool called Inno Setup, reaches out to the developer’s website and downloads a password-protected RAR archive that contains the application files. These are deployed under the Program Files (x86)\Nitrokod\[application name] path.

The app then checks for the presence of a component called update.exe. If it’s not found, it deploys it under the Nitrokod folder and sets up a system scheduled task to execute it after every restart. The installer then collects some information about the victim’s system and sends it to the developer’s server.

Up to this point, the installation is not very unusual for how a legitimate application would behave: collecting some system data for statistics purposes and deploying what looks like an automatic update component. However, after around four system restarts on four different days, update.exe downloads and deploys another component called chainlink1.07.exe. This mechanism of delaying the deployment and requiring multiple restarts is likely an attempt to defeat sandbox analysis systems, which do not test application behavior across multiple restarts.

The chainlink1.07.exe stager creates four different scheduled tasks that will execute with different delays. One of them, which executes every three days, uses PowerShell to delete system logs. Another one is set to execute every 15 days and downloads another RAR archive from a different domain that uses the intentionally deceptive name intelserviceupdate. A third scheduled task executes every two days and is set to unpack the RAR archive if it exists, while the fourth task executes every day and is set to execute another component from the archive.

Even though they are set to run with higher frequency, the third and fourth tasks don’t do anything until the 15-day delayed task that downloads the RAR archive runs, since otherwise there’s no archive to extract and no executable to execute.

“At this point, all related files and evidence are deleted and the next stage of the infection chain will continue after 15 days by the Windows utility schtasks.exe,” the researchers said. “This way, the first stages of the campaign are separated from the ones that follow, making it very hard to trace the source of the infection chain and block the initial infected applications.”

The new malicious component is an intermediary dropper that further prepares the system for the final stages. First, it checks the running processes for known virtual machine applications and security products and if any is found, it halts execution. If this check is passed, it adds a new firewall rule for the next components, as well as exclusions for them in Windows Defender.

Finally, the dropper deploys another component called nniawsoykfo1.8.exe, which then deploys two other executable files called nniawsoykfo.exe and powermanager.exe. The latter is a copy of the open-source XMRig cryptocurrency mining program, while the former is a component that controls the miner and connects to a domain with nvidiacenter in its name where the attackers’ common and control server is hosted.

The program sends information about the system such as idle time, number of CPU cores, whether it’s a desktop or laptop, the antivirus programs installed, the version of the deployed Powermanager.exe (XMRig) and more.

Strong application use policies main defense against Trojanized apps

While fake or Trojanized apps are not a new attack vector, stealthy campaigns like this that manage to fly under the radar for years highlight why it’s critically important for organizations to have strong application use policies and to enforce them for employees. Application whitelisting solutions can also be used on sensitive systems to restrict what applications and from where can be downloaded and installed by employees.