Hackers use NullMixer and SEO to spread malware more efficiently

Kaspersky security researchers discovered a new series of campaigns focused on the malware tool they named NullMixer.

According to a warning published by the firm earlier today, NullMixer spreads malware via malicious websites that can be easily found via popular search engines, including Google.

“These websites are often linked to crack, keygen and activators for downloading illegal software, and although they may pretend to be legitimate software, they actually contain a malware dropper,” the advisory read.

The researchers also explained that when users attempt to download software from one of these sites, they are redirected multiple times and eventually land on a page containing download instructions alongside password-protected archived malware that acts as the desired software tool.

When a user extracts and runs NullMixer, however, the malicious software drops several malware files on the compromised machine.

“These malware families can include backdoors, bankers, credential thieves and so on,” Kaspersky wrote. “For example, the following families are among those dropped by NullMixer: SmokeLoader/Smoke, LgoogLoader, Disbuk, RedLine, Fabookie, ColdStealer.”

At the time of writing, security researchers said only in 2022, they have blocked attempts to infect more than 47,778 victims worldwide, located mainly in Brazil, India, Russia, Italy, Germany, France, Egypt, Turkey and United States.

Kaspersky also clarified that they are currently unable to attribute NullMixer to any specific group or threat actor.

More generally, the cybersecurity company warned individuals against trying to save money by using unlicensed software.

“A single file downloaded from an unreliable source can lead to a large-scale infection of a computer system,” the company wrote.

Several families of malware dropped by NullMixer are classified by the company and the general security community as Trojan-Downloaders. This suggests that the infections may not be limited to the malware families described in the report.

“Many of the other malware families mentioned here are thieves, and compromised credentials can be used for further attacks on a local network.”

The report comes weeks after the FBI warned against cyber-criminals increasingly hacking home IP addresses to hide credential stuffing activities and increase their chances of success.

Comments are closed.