September 18, 2022
  • September 18, 2022

These free Windows apps hide a dangerous secret

By on August 30, 2022 0

The installation of malware that spreads via freeware sites was found to be activated after a delay of one month, which ultimately helped him to avoid exposure.

As reported by Bleeping Computer, the malware campaign is camouflaged as Google Translate or MP3 downloader programs. In reality, however, it functions as cryptocurrency mining malware for Windows-based systems.

Getty Images

Discovered in 11 countries so far, fake programs lurk in plain sight on free software sites. A Checkpoint Report details how a developer, who goes by the name Nitrokod, is behind the malware.

Although they appear legitimate, Check Point confirmed that the apps will delay malware installation for almost a month. From there, the infection chain “continued after a long delay using a scheduled tasks mechanism”, which gave threat actors enough time to get rid of any evidence.

Once a victim launches one of the infected software, a legitimate Google Translate application is installed on the system. The app is then able to clear all system logs via PowerShell commands, in addition to setting up a firewall rule and excluding itself from being detected by Windows Defender.

After several weeks, the malware is loaded, after which it connects to a C&C server to receive a configuration for the XMRig crypto-miner. This allows the application’s malicious files to begin mining activity on the target’s PC.

Freeware sites are an extremely popular search term for Google, with fake Nitrokod apps ranking high in search results. One such website, Softpedia, delivered over 112,000 downloads for the developer’s Google Translate app.

As Bleeping Computer pointed out, crypto-mining malware can put a lot of stress on a system due to the impact it has on hardware, as well as natural overheating. The overall performance of a machine can also be negatively affected if it uses additional CPU resources.

As for the activated malware, it can be replaced by potentially more dangerous code if the threat actor decides to do so.

It should be emphasized that you should always check that you are downloading programs from official sources and be on the lookout for any suspicious developers, even if their version has been downloaded by hundreds of thousands.

Editors’ Recommendations