NullMixer Malware Spreads through Websites

Kaspersky researchers have discovered a new campaign, spreading NullMixer, a malware that is actively distributed by cybercriminals via websites offering crack, keygen and activators for downloading software illegally.

This malware steals users’ credentials, addresses, credit card data, cryptocurrencies, and even Facebook and Amazon accounts.

The Infection Chain of NullMixer Malware

NullMixer is a dropper leading to an infection chain of a wide variety of malware families. It spreads via malicious websites that can be found mainly via search engines. These websites are using SEO to stay at the top of search engine results.

“When users attempt to download software from one of these sites, they are redirected multiple times, and end up on a page containing the download instructions and archived password-protected malware masquerading as the desired piece of software”, Kaspersky

NullMixer malware drops a number of malware files to the compromised machine. These malware families may include backdoors, bankers, credential stealers and so on. Also, it can download a huge number of Trojans at once, which can lead to a large-scale infection of any computer network.
Top Google search engine results for “crack software” contain malicious websites delivering NullMixer

Now, when the user clicks on the download link for the desired software, it redirects the user to another malicious website. Subsequently it redirects the user to a third-party IP address webpage, where it instructs the user to download a password-protected ZIP file from a file sharing website.

Malware execution instructions
Malware execution instructions

After the user extracts the archived file with the password, the user runs the installer and executes the malware. Malware drops a wide variety of malicious binaries to infect the machine with, such as backdoors, bankers, downloaders, spyware and many others.

Kaspersky security solutions have blocked attempts to infect more than 47,500 users worldwide. Some of the most targeted countries are Brazil, India, Russia, Italy, Germany, France, Egypt, Turkey and the United States.

Therefore, a single file downloaded from an unreliable source can lead to a large-scale infection of a computer system. Researchers say a large proportion of the malware families dropped by NullMixer are classified as ‘Trojan-Downloaders’. The malware infections will not be limited to the malware families described in this report

“This threat can always be avoided by using only licensed products and robust security solutions,” says Haim Zigel, security researcher at Kaspersky.

Download Free SWG – Secure Web Filtering – E-book

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.