However, according to a new report from Kapersky, NullMixer only targets piracy downloaders — web surfers who search for terms like “crack,” “keygen,” and “activators” on Google. Although the illegally downloaded programs may appear to be legitimate (as ironic as that sounds), they’re masquerading as infection funnels that discharge absolute chaos on users’ PCs.
What is NullMixer?
NullMixer is a malicious dropper designed to unleash a gaggle of malware programs to victims’ computers. The infections that are released to quarries’ PCs feature 21 malware families, give or take. Yes, you read correctly — that’s nearly two dozen! For the sake of brevity, we don’t dive into all of them, but here are some of the most frightening malicious programs:
RedLine Stealer - snatches private credentials, credit card details and digital assets from cryptocurrency walletsPsuedoManuscrypt - spies on victims by stealing their browser cookies and steals cryptocurrencies by using the ClipBanker pluginFabookie - targets Facebook users by hijacking their accounts and linked-payment methods, and consequently, malicious actors use the stolen credentials to run ads from the compromised accountGeneric.ClipBanker - monitors clipboard for cryptocurrency addresses and auto replaces them with the perpetrator’s own crypto address (so victims unwittingly send their digital assets to malicious actors)GCleaner - a pay-per-install malicious loader that downloads unwanted apps, helping malicious actors benefit from a pricing model that pays out rewards for every installVidar - steals sensitive information, including passwords, saved credit cards, and more
Malicious actors use SEO to ensure that their NullMixer-filled downloads remain at the top of search engine results for terms like “cracked,” “keygen,” and “activators,” making it easy for victims to stumble into their traps. “When users attempt to download software from one of these sites, they are redirected multiple times, and end up on a page containing the download instructions and archived password-protected malware masquerading as the desired piece of software,” the Kapersky report said. The Kapersky investigators said they’ve been unable to attribute NullMixer to a specific group, but since the beginning of the year, the cybercriminal firm claims that it has blocked infection attempts for nearly 50,000 potential victims worldwide.