Windows malware activates after a month and goes undetected

Windows malware activates after a month and goes undetected

Check Point reported malware that pretends to be a Google Translate tool or MP3 downloader but actually exploits the target machines for cryptocurrency mining.

Developed by an operator known as Nitrokod, this malware has a peculiarity: it installs the malicious components after about a month, in order to bypass the security systems installed on the infected computers. Users are misled by the fact that the tools proposed by Nitrokod are ranked very high on Google searches, therefore, they are downloaded quite frequently by unsuspecting users looking for specific utilities.



Always use official apps like the one for Google Translate
Via PowerShell commands, the software cleans up the system logs and, 15 days later, retrieves a other encrypted RAR file. It then checks for antivirus and adds firewall rules and Windows Defender exclusion rules.

At the end of the preparatory stages, Nitrokod's software retrieves a mining malware known as XMRig which analyzes the system and sends a report to a C2 server to receive further instructions on how and when to activate, how many resources to use and which programs to look for and terminate.

The risks are different, not only a greater consumption of hardware resources, with possible overheating problems and performance drops, but also the possibility that malicious software will recover other far more harmful payloads .