Hackers Use NullMixer and SEO to Spread Malware More Efficiently

  • Security researchers from Kaspersky have spotted a new series of campaigns focusing on the malware tool they named NullMixer.

    According to an advisory published by the firm earlier today, NullMixer spreads malware via malicious websites that can be easily found via popular search engines, including Google.

    “These websites are often related to crack, keygen and activators for downloading software illegally, and while they may pretend to be legitimate software, they actually contain a malware dropper,” reads the advisory.

    The researchers further explained that when users attempt to download software from one of these sites, they are redirected several times and eventually land on a page containing download instructions alongside an archived password–protected malware acting as the desired software tool.

    When a user extracts and executes NullMixer, however, the malicious software drops several malware files to the compromised machine.

    “These malware families may include backdoors, bankers, credential stealers and so on,” Kaspersky wrote. “For example, the following families are among those dropped by NullMixer: SmokeLoader/Smoke, LgoogLoader, Disbuk, RedLine, Fabookie, ColdStealer.”

    At the time of writing, the security researchers said in 2022 alone, they’ve blocked attempts to infect more than 47,778 victims worldwide, located mainly across Brazil, India, Russia, Italy, Germany, France, Egypt, Turkey and the United States.

    Kaspersky also clarified that they are currently unable to attribute NullMixer to any specific group or threat actor.

    More generally, the cybersecurity company warned individuals against trying to save money by using unlicensed software.

    “A single file downloaded from an unreliable source can lead to a large–scale infection of a computer system,” the company wrote.

    Multiple malware families dropped by NullMixer are classified by the company and the general security community as Trojan–Downloaders. This suggests infections may not be limited to the malware families described in the report.

    “Many of the other malware families mentioned here are stealers, and compromised credentials can be used for further attacks inside a local network.”

    The report comes weeks after the FBI warned against cyber–criminals increasingly hijacking home IP addresses to hide credential–stuffing activity and increase their chances of success.