Thousands of devices across 11 countries have been impacted by the Nitrokod cryptomining malware, reports The Record, a news site by cybersecurity firm Recorded Future.
Nitrokod is being distributed by Turkish threat actors through free PC software download sites, one of which offers a fraudulent Google Translate desktop app, according to a Check Point report. "The malicious tools can be used by anyone. They can be found by a simple web search, downloaded from a link, and installation is a simple double-click. We know that the tools are built by a Turkish-speaking developer. Currently, the threat we identified was unknowingly installing a cryptocurrency miner, which steals computer resources and leverages them for the attacker to monetize on," said Check Point Vice President of Research Maya Horowitz.
The report also showed that Nitrokod has remained under the radar for years through a delayed malware release mechanism, which involves deployment days or weeks after the initial program download.
"The infection chain continued after a long delay using a scheduled task mechanism, giving the attackers time to clear the evidence," said researchers.
Threat actors using Nitrokod could also modify the attack's final payload, they added.
Impacted by different levels of log disruption were Microsoft Entra, Microsoft Sentinel, Azure Logic Apps, Azure Monitor, Azure Healthcare APIs, Azure Trusted Signing, Azure Virtual Desktop, and Power Platform, according to Microsoft.
Attacks involved the display of fraudulent Google Meet popup alerts, which would download the StealC or Rhadamanthys infostealers for Windows users and the AMOS Stealer payload for macOS users, according to a Sekoia analysis.
Malicious spear-phishing messages have been leveraged by RomCom to distribute the MeltingClaw or RustyClaw downloaders for the ShadyHammock and DustyHammock backdoors, respectively, with the latter facilitating the delivery of the SingleCamper trojan.