Would-Be Software Pirates Served Malware Through 'NullMixer'NullMixer Opens Windows to Dozens of Malicious Files
Would-be users of pirated software on Windows computers have a decent chance of downloading a slew of viruses courtesy of a malware dropper Kaspersky is calling "NullMixer."
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
Researchers with the Russian cybersecurity company say the company has blocked NullMixer downloads from reaching nearly 48,000 users worldwide.
Industry association BSA, The Software Alliance in 2018 estimated that unlicensed software accounts for 37% of software installed on personal computers, costing industry tens of billions of dollars in lost revenue. Users looking for a cheap shortcut could likewise get shortchanged since hackers have long salted with malware any software putatively meant for cracking licensed applications.
NullMixer doesn't just infect users with one particular virus. "It drops a wide variety of malicious binaries to infect the machine with, such as backdoors, bankers, downloaders, spyware and many others," Kaspersky says. The dropper is hard to miss for anyone attempting to find a way to obtain software keys by hunting for an online tool. Malicious websites use search engine optimization to maintain spots in search results for "cracks" and "keygen."
The infection starts when a user runs the NullMixer executable from a password-protected archive victims have downloaded. They're given the password by the webpage hosting the putative software cracker.
In the version probed by Kaspersky, the first executable dropped and launched a second installer, which in turn dropped dozens of malicious files. Instead of launching them individually, it launched a single NullMixer start component, which launched the malware, one by one.
Among the infections dropped by NullMixer are SmokeLoader/Smoke, LgoogLoader, Disbuk, RedLine, Fabookie and ColdStealer.
"In most cases, users receive adware or other unwanted software, but NullMixer is far more dangerous, as it can download a huge number of Trojans at once, which can lead to a large-scale infection of any computer network," researchers say.
One particularly virulent piece of malware dropped by NullMixer is RedLine Stealer, which hunts for credit card and cryptocurrency wallet data. The Lapsus$ extortion group was seen in April using RedLine in its attack targeting the U.S. telecom carrier T-Mobile (see: T-Mobile Breached Again; Lapsus$ Behind the Attack).
Malware Families Unleashed by the Dropper
Some of the other key threat families NullMixer drops include:
- SmokeLoader: This modular malware has been active since 2011. It is typically distributed via phishing emails and drive-by downloads, and over the years it has evolved its capabilities with additional modules that include disabling Windows Defender and anti-analysis techniques. One of the most important uses of SmokeLoader is payload downloading and executing.
- ColdStealer: This new malicious program was discovered in 2022. Like other stealers, its main agenda is to steal credentials and information from web browsers, in addition to stealing cryptocurrency wallets, FTP credentials, various files and information about the system, such as OS version, system language, processor type and clipboard data.
- FormatLoader: The main purpose of this malware is to infect machines with even more malware by downloading software binaries.
- PseudoManuscrypt: Known since June 2021, this program steals browser cookies and monitors user activity through keylogging. It also can steal cryptocurrency by using a plug-in known as ClipBanker.
- Disbuk: Also known as Socelar, this program disguises itself as a legitimate application, such as a PDF editor. It steals Facebook session cookies from the Chrome and Firefox browsers and has done the same for Amazon sessions.
- DanaBot: This Trojan-Banker program has grown since its origin in 2018. It is modular malware that includes various additional modules whose most popular functionalities are stealing information from compromised machines and injecting fake forms into popular e-commerce and social media sites to collect payment data.