NullMixer Opens Windows To Dozens of Malicious Files
Would-be users of pirated software on Windows computers have a decent chance of downloading a slew of viruses courtesy of a malware dropper Kaspersky is calling NullMixer.
See Also: New OnDemand | C-Suite Round-up: Connecting the Dots Between OT and Identity
Researchers with the Russian cybersecurity company say the company has blocked Nullmixer downloads from reaching nearly 48,000 users worldwide.
Industry association BSA-The Software Alliance in 2018 estimated that unlicensed software accounts for 37 percent of software installed on personal computers, costing industry tens of billions of dollars in lost revenue. Users looking for a cheap shortcut could likewise get shortchanged since hackers have long salted with malware any software putatively meant for cracking licensed applications.
NullMixer doesn’t just infect users with one particular virus. “It drops a wide variety of malicious binaries to infect the machine with, such as backdoors, bankers, downloaders, spyware and many others,” Kaspersky says. The dropper is hard to miss for anyone attempting to find a way to obtain software keys by hunting for an online tool. Malicious websites use search engine optimization to maintain spots in search results for “cracks” and “keygen.”
Infection Chain
The infection starts when a user runs the NullMixer executable from a password-protected archive victims have downloaded. They’re given the password by the webpage hosting the putative software cracker.
In the version probed by Kaspersky, the first executable dropped and launched a second installer, which in turn dropped dozens of malicious files. Instead of launching them individually, it launched a single Nullmizer start component, which launched the malware, one-by-one.
Among the infections dropped by NullMixer are SmokeLoader/Smoke, LgoogLoader, Disbuk, RedLine, Fabookie and ColdStealer.
“In most cases, users receive adware or other unwanted software, but NullMixer is far more dangerous, as it can download a huge number of Trojans at once, which can lead to a large-scale infection of any computer network,” researchers say.
One particularly virulent piece of malware dropped by NullMixer is RedLine Stealer, which hunts for credit card and cryptocurrency wallet data. The Lapsus$ extortion group was seen in April using RedLine in its attack targeting the U.S. telecom carrier T-Mobile (see: T-Mobile Breached Again; Lapsus$ Behind the Attack).
Malware Families unleashed by the Dropper
- SmokeLoader: Some of the other key threat families NullMixer drops include SmokeLoader, which has been active since 2011. It is a modular malware, typically distributed via phishing emails and drive-by downloads, and over the years has evolved its capabilities with additional modules. Those include disabling Windows Defender and anti-analysis techniques. One of the most important uses of the SmokeLoader remains payload downloading and executing.
- ColdStealer: This is a new malicious program discovered in 2022. Like other stealers, its main agenda is to steal credentials and information from web browsers, in addition to stealing cryptocurrency wallets, FTP credentials, various files and information about the system such as OS version, system language, processor type and clipboard data.
- FormatLoader: The main purpose of this malware is to infect machines with even more malware by downloading software binaries.
- PseudoManuscrypt: Known since June 2021, its aim is to steal browser cookies, monitor user activity through keylogging. It also can steal cryptocurrency by using a plugin known as ClipBanker.
- Disbuk: Also known as Socelar, it is known to disguise itself as a legitimate application, such as a pdf editor. It steals Facebook session cookies from the Chrome and Firefox browsers. It’s been known to do the same for Amazon sessions.
- DanaBot: This is a a Trojan-Banker that’s grown since its 2018 origins. It’s modular malware that includes various additional modules. The most popular functionalities of these modules are stealing information from compromised machines and injecting fake forms into popular ecommerce and social media sites to collect payment data.