The Nitrokod threat is a threatening backdoor used as a tool for the deployment of next-stage payloads on infected systems. More specifically, the threat actors dropped a version of the XMRig crypto-mining tool to the breached devices. Nitrokod is developed by a Turkish-speaking entity and is mainly distributed through weaponized applications offering Desktop functionality for programs and tools that do not have an official desktop version. For example, the most downloaded Nitrokod application is the Google Translate desktop application. Details about the threat and its infection chain were released to the public in a report by researchers.
Nitrokod is an advanced malware threat equipped with detection-evasion and anti-analysis techniques. It can scan and check for signs of virtual environments and whether the breached systems have certain anti-malware and security solutions installed on them. Upon a positive match, Nitrokod will cease its execution and delete any traces of its presence. In addition, the malware is capable of bypassing Micorosft Defender without being detected.
Once fully activated, Nitrokod will collect general device and system data, as well as specific details necessary for the subsequent crypto-mining process, such as the model of the device's CPU. What makes a Nitrokod infection so difficult to be stopped early on, is the significant gap between the deployment of the backdoor and the crypto-mining payload. In some instances, the XMRig tool was delivered weeks after the Nitrokod malware had already established its presence inside the victim's device.
XMRig is a popular tool in crypto-mining attack campaigns. It is designed to hijack the system's hardware resources and mine for the Monero (XMR) cryptocurrency specifically.