A new malware dropper is being propagated through Google search results where users look for fake versions of software and apps only to be infected by several malware variants. The dropper, dubbed ‘NullMixer,’ primarily targets Windows devices and acts as an infection funnel to spread a dozen malware variants into one machine.
According to researchers, the infected Windows devices could face several infection attacks, such as spyware, backdoors, infostealers, clipboard hijackers, fake Windows system cleaners, cryptocurrency miners, and more malware loaders.
Through the ‘black hat SEO’ technique, the hackers promote their malicious sites by ranking themselves at the top of the search results illegally or lowering competitors’ rankings. The users who would be lured to download software and app cracks from these malicious sites are redirected to other websites where the NullMixer malware dropper will be downloaded on their Windows devices as a password-protected ZIP file.
Windows devices from the US, Germany, Italy, France, Russia, India, Egypt, Brazil, and Turkey have been the targets of this new malware-dropping campaign.
In usual circumstances, users that look for software or app cracks ignore anti-virus alerts for potential threats since they are intentionally downloading pirated files in the first place. Threat actors have then leveraged this situation to inject devices with the malware dropper easily.
Based on the analysis of the NullMixer campaign, once downloaded and launched on a computer, it will create a new file called ‘setup_installer[.]exe.’
Aside from dropping dozens of malware variants, this malicious file is also responsible for launching another separate executable called ‘setup_install[.]exe.’ This separate file will launch all the dropped malware strains inside the compromised machine.
Numerous malware variants are involved in this campaign, including the Raccoon Stealer, Redline Stealer, Vidar Stealer, Damajot, SmokeLoader, PseudoManuscrypt, PrivateLoader, ColdStealer, and Fabookie. Security researchers have yet to unfold why the threat operators have selected these variants specifically.
Furthermore, the experts underline that it would be impossible for all these malware strains to run smoothly in a compromised device without the victim realising that there is an infection. Several symptoms would naturally occur during the process, including heavy hard disk activity, unusual performance issues, and a sudden increase in CPU and memory utilisation.
Therefore, users are warned about the risks of downloading pirated software and app copies from untrusted websites online. It is also highly recommended to entirely avoid downloading these cracked software versions, not only because it is risky but also because it is strictly prohibited.