Crypto-Crooks Spread Trojanized Google Translate App in Watering-Hole Attack

  /     /     /  
Publicated : 23/11/2024   Category : security


Crypto-Crooks Spread Trojanized Google Translate App in Watering-Hole Attack


The ongoing campaign is spreading worldwide, using the lure of a fully functional Google Translate application for desktops that has helped the threat stay undetected for months.



A cryptomining campaign has potentially infected thousands of machines worldwide by hiding in a Google Translate download for desktops.
According to researchers at Check Point, the threat actor behind it is a Turkish-speaking software developer called Nitrokod, which offers free versions of popular software applications that dont have an official desktop version — like Google Translate.
In fact, its version of the translation utility, created using the official Google Translate webpages and a Chromium-based framework, is its most popular offering, researchers said in a
blog post
this week. Its distributed in a watering-hole approach, available via websites like Softpedia and uptodown, and turning up at the top of search results for “Google Translate desktop download.
Unfortunately, the downloads are Trojanized, which victims might not realize for a very long time (or ever) given that the app actually works as advertised.
This campaign highlights the diverse methods of propagation employed by cryptojacking groups, says Matt Muir, security researcher at Cado Security. Although masquerading as legitimate applications is as old as malware itself … sadly, it remains far too easy to trick an end user into installing what they believe to be a popular application.
The campaign, which is ongoing and spreading globally, sports several features that are designed to help it remain undetected, Check Point researchers found.
For instance, after the software is installed, the infection process goes dormant for weeks. Tom Kellermann, senior vice president of cyber-strategy at Contrast Security, tells Dark Reading that this is a prime example of a growing trend.
Notably, after initial injection they are waiting weeks to remain undetected, he says. Placing malware on a sleep cycle is becoming mainstream, and chronos attacks are growing where adversaries use time for the purposes of evasion.
After the sleep interval, the infection process is initiated and the victim receives an updated file that, over the course of a few days, loads a chained series of four droppers onto the machine. Finally, the last dropper fetches the Monero-focused XMRig cryptominer and executes it.
The download then connects out to a command-and-control (C2) server for configuration data and begins mining, while the attackers delete any evidence of the infection process. Meanwhile, Google Translate will continue to work properly, separately — offering no red flags for analysis.
This allowed the campaign to successfully operate under the radar for years, according to Check Points analysis. This way, the first stages of the campaign are separated from the ones that follow, making it very hard to trace the source of the infection chain and block the initial infected applications.
Active since 2019, Nitrokod claims to offer free and safe software, which in reality are all threats, researchers noted. The behaviors are similar to the Google Translate campaign in all other infected programs, they said. Thus, while this campaign was spotted in July, its likely that there will be additional activity from the cybercrime group going forward.
Assaf Morag, lead data analyst on the Aqua Nautilus research team, notes that the campaign illustrates how cryptojacking crooks are
proliferating their attack methods
and continuing to go after virtual coins as a quick financial win.
In addition to Trojanized applications, some cryptominers are hidden in websites, and when an unsuspecting victim browses the site, the cryptomining script on the website is running in the browser, often without users knowledge or consent, he says. Another type of cryptojacking that weve seen recently is often more complex. It involves a large botnet infrastructure that scans for vulnerabilities and misconfigurations, exploits them, and disseminates the cryptojacking malware and often other malware aimed to expand the attack and make it persistent.
As a result, businesses should shore up their basic defenses such as patching and Web filtering, and implement policies against downloading anything but approved software onto endpoints, network sensors, servers, and firewalls. And even then, users should only download software from official repositories — like Google Play, in this case; if theres no official desktop app, users should make do with the Web-based version.
Michael Clark, director of threat research at Sysdig, also says the campaign puts remote workers on notice.
The software it pretends to be something that could be used by anyone, he says. It shows that your endpoints and even users at home could be affected by cryptomining. Endpoints may not be as powerful as servers, but for a cryptominer, every bit of processing power they can steal adds to their profits.
And what if its too late? If infected, users will see a performance issue with their systems and potentially need a fresh install of their operating system to rid the system of the malware effectively, says James McQuiggan, security awareness advocate at KnowBe4.

Last News

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security

▸ CryptoWall is more widespread but less lucrative than CryptoLocker. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Crypto-Crooks Spread Trojanized Google Translate App in Watering-Hole Attack