exe file to run every day once they are unpacked. It fetches and stores several executables and schedules one. The app runs as expected when the user downloads and installs the software loaded with Nitrokod malware while the malicious trojan sneakily works in the background. The attack is a multi-stage sequence where each dropper paves the way for another dropper until the actual malware is dropped. Malware analyst at Check Point Moshe Marelus stated that the malware drops around one month after the infection, and dropping files is a multi-stage process, which makes it rather complicated to track its initial stages. The list of victims is pretty diverse as they are spread across the following countries: This malware is readily available, and anyone can use it, stated Check Point’s vice president of research, Maya Horowitz. The malware keeps its execution on hold for several days or weeks and launches its Monero mining code when it deems safe. It is spread disguised as a clean Windows application. The cryptocurrency mining Trojan is called Nitrokod. Fake malicious apps spreading the Nitrokod crypto miner (Image via CheckPoint) Campaign Analysis
