Cryptojacking: a corrupted Google Translate mines cryptos on more than 100,000 PCs

Cryptojacking: undetectable crypto mining

To steal cryptocurrencies, hackers redouble their ingenuity. With the recent speculative bubble around cryptos, the sector has become very lucrative, so many individuals have paid the price. These attacks can take various more or less well-known forms.

While attacks in the form of phishing are mainly recognizable, cryptojacking is also very widespread, but much less detectable.

Cryptojacking consists of hiding malicious software on a computer or smartphone to use it in the process of mining certain cryptocurrencies. Thus, by taking advantage of the computing power of your PC or phone, hackers pocket mining-related gains. The threat is to be taken very seriously, since to be efficient, the software must be invisible, therefore you can be infected without knowing it and without being particularly adept in the world of cryptocurrencies.

More than 100,000 PCs have recently paid the price…

Corrupt “Google translate” software mines crypto without your knowledge

Hidden under recognized applications like Google Translate, cryptojacking malware has managed to infect no less than 112,000 computers.

It is through a report by Check Point Research (CPR) that we learned the news last Monday. In particular, the cybersecurity research team said that the software has been exploiting a large number of computers for several years.

The malware that only uses the name “Google translate” has allowed hackers to use these thousands of machines to mine the Monero (XMR) cryptocurrency. The attack is not new since, under the radar, the software has been able to use the computers of the victims since 2019, and this, in 11 countries:

• Israel
• Germany
• UK
• United States
• Sri Lanka
• Cyprus
• Australia
• Greece
• Turkey
• Mongolia
• Poland

As a result, although the infected machines are not necessarily real mining RIGs, we can imagine that the operation could nevertheless bring a jackpot to the pirates.

The “success” of the malware is partly explained by the fact that it has been integrated into replicas of known software such as YouTube Music, Google Translate or Microsoft Translate. Although there is no desktop version for Google Translate, according to the research team, these bogus software have been made available on reputable sites like Softpedia or Uptodown.

Benefiting from the visibility of several sites, the software rose quickly in the Google search results. Initially promoted by a Turkish software developer named “Nitrokod”, the “free and secure” software therefore spread to victims’ computers like wildfire.

A methodical infection

Once the malware is executed, the infection begins, and the installation of the malware is meticulous – taking several weeks to be effective… Precisely, the software begins to extract cryptos almost a month after installation.

The process is divided into several stages:

• Installing in .rar allows attackers to download a package to build the files on the computer.

• Once it is executed, the software does not contain anything alarming since it is generally an exact copy of the official version. Only, it already sends the information of the infected machine to the attacker.

• After 4 restarts over a period of 5 days, the software proposes an update and executes the “update.exe” program, this is where the serious things begin…

• Once the period has passed, the program will perform the 4 tasks above.

• After several days of process (usually 1 month), the malicious cryptomining software as “powermanager.exe” runs.

The machine is then infected, “nitrokod” only has to extract the Monero crypto without the consent of the victims, and without them even noticing. Indeed, the almost invisible infection usually results in a slight slowdown of the system. If you want to know more, you can consult Check Point Research’s detailed report.

This event is a reminder of the threats that abound on the Internet. If you do not want to make your PC work on behalf of another, it is strongly advised to favor official sites when downloading any software in order to protect yourself from this kind of risk.