Check Point Research uncovered Nitrokod, a Turkish-based crypto-miner campaign that hides malware in legitimate-looking apps like Google Translate Desktop and has infected machines across 11 countries. The operation uses a multi-stage infection chain with long delays and evasion techniques, which A/B/C detection by Check Point XDR helped uncover and mitigate. Hashtags: #Nitrokod #XMRig
Keypoints
- CPR identified a Turkish-speaking crypto-miner campaign named Nitrokod infecting machines in 11 countries.
- The malware is distributed via popular freeware sites and free software bundles, including Google Translate Desktop-style installers.
- An evasion strategy separates the initial Nitrokod installer from the later malware droppers, enabling stealth over weeks or more.
- The infection chain comprises multiple staged drops, with delayed execution and scheduled tasks to avoid detection.
- Check Point XDR detected and correlated all actions, enabling automatic responses and blocking indicators across endpoints and networks.
- IOC details include domains such as Nitrokod[.]com, Intelserviceupdate[.]com, and Nvidiacenter[.]com, plus several MD5 hashes.
<liStage 5β7 include VM/antivirus checks, firewall and Defender exclusions, and a final miner dropper (XMRig) that reports to a C2 server.
MITRE Techniques
- [T1036] Masquerading β The malware masquerades as legitimate software (e.g., Google Translate Desktop) downloaded from popular websites, using a Chromium-based wrapper to present a legitimate appearance. β
β¦translated quote in Englishβ¦β - [T1105] Ingress Tool Transfer β The installer downloads an encrypted RAR file from the attacker server to fetch the first payload. β
The installer starts by downloading an encrypted RAR file from hxxp://nitrokod[.]com/download/GoogleTranslateDesktop.rar.β - [T1053] Scheduled Task β The chain uses scheduled tasks to persist and trigger actions over time, enabling long dwell and evasion. β
The infection chain continued after a long delay using a scheduled task mechanism, giving the attackers time to clear the evidence.β - [T1070] Indicator Removal on Host β The dropper clears system logs as part of the cleanup process. β
Stage 4 clears all system logs using the PowerShell command Clear-EventLog.β - [T1497] Virtualization/Sandbox Evasion β The malware checks for VM processes and security software before proceeding. β
The stage 5 dropper starts by checking if certain programs are installed on the infected machine. First, it checks against a list of known virtual machine processes and then against a list of mainly security products.β - [T1082] System Information Discovery β The malware enumerates security products and determines desktop vs. laptop usage to tailor its behavior. β
the malware enumerates all the security products installed on the infected machineβ¦ identify platform.β - [T1071.001] Web Protocols β The malware uses HTTP POST to communicate with a C2, sending JSON data and receiving commands. β
the bot connects to its C&C server nvidiacenter[.]com and sends the following data in a JSON format over a HTTP POST requests.β - [T1041] Exfiltration Over C2 Channel β Data about the infected host is encoded and sent to the C2, shaping control commands and miner behavior. β
The data is then encoded by the following stepsβ¦ The C&C response is decoded the same way it was encodedβ¦β - [T1496] Resource Hijacking β The final stage runs the XMRig miner to mine cryptocurrency. β
nniawsoykfo.exe β XMRig crypto miner.β
Indicators of Compromise
- [Domain] β Nitrokod[.]com, intelserviceupdate[.]com, and nvidiacenter[.]com
- [MD5] β abe0fb9cd0a6c72b280d15f62e09c776, a3d1702ada15ef384d1c8b2994b0cf2e, and 4 more hashes
- [File Name] β GoogleTranslateDesktop.exe, GoogleTranslateDesktop2.50.exe, nniawsoykfo.exe, powermanager.exe