An active cryptocurrency mining malware campaign has already infected more than 111,000 users in Germany, Israel, Poland, the U.S. and other countries, according to a report published by American-Israeli cybersecurity provider Check Point Software Technologies.
Bad actors are setting traps for victims on websites of the likes of Softpedia that feature free software. They trick them into downloading the desktop version of such services as YouTube Music and Microsoft Translate. The catch? These services do not actually have official desktop versions.
The campaign, which has been under the radar for years, is reportedly linked to a Turkish software developer dubbed Nitrokod, which claims to offer free software.
It managed to remain undetected for such a long period of time because of its sophisticated multi-stage infection process. By delaying the execution of malware for weeks after installation and removing all the traces, this makes it extremely hard to link the malware to a particular ill-fated installation.
After execution, the malware starts a stealth Monero (XMR) crypto-mining operation by connecting to its command-and-control server and getting the XMRig CPU mining tool. In order to make sure that the malware remains active, a scheduled task is set to run the scam every day.
Check Point claims that even unsophisticated users are capable of getting access to the necessary toolset that can be installed with just a few clicks.
Monero remains the undisputed ploy currency of cryptojackers because of its anonymity features. A 2019 study showed that illicit crypto mining was responsible for as much as 4% of XMR's total circulating supply.