Novel NullMixer Dropper Installs a Dozen Malware Families on PCs

Novel NullMixer Dropper Installs a Dozen Malware Families on PCs

A new malware dropper known as “NullMixer” is concurrently infecting Windows devices with a dozen separate malware families through trumped-up software cracks offered on fraudulent sites in Google Search results. Using a single Windows executable to spawn 12 different malware families, NullMixer serves as an infection funnel, resulting in over 20 infections functioning on a single device.

These infections include malware loaders, bankers, phony Windows system cleansers, clipboard hijackers, cryptocurrency miners, and password-stealing trojans. The malware distributors employ “black hat SEO” to promote websites pushing phony game cracks and pirated software activators in prominent Google search result positions to spread the infection.

Several websites allegedly disseminating this malware were shown in the second, third, and fourth search result positions after doing a Google search test for “software crack.” When unaware consumers try to download software from these websites, they are instead sent to other malicious websites that drop a password-protected ZIP package with a copy of the NullMixer dropper. Users downloading software cracks and cheats ignore AV warnings about unsigned and possibly harmful executables, evading security safeguards, and manually execute them since they frequently need to edit game files.

According to Kaspersky experts who found the new dropper, NullMixer has reportedly already tried to infect 47,778 of Kaspersky’s clients in countries including the United States, Germany, France, Italy, India, Russia, Brazil, Turkey, and Egypt. Typically, NullMixer is downloaded as files with names that sound like “win-setup-i864.exe,” which, when run, produce a new file called “setup_installer.exe.” This new executable runs another executable called “setup_install.exe” after distributing dozens of malware families. That third file starts all malware put on the infected PC via a hardcoded list of their names and the Windows’ cmd.exe’ tool.

Redline Stealer, Danabot, Raccoon Stealer, Vidar Stealer, SmokeLoader, PrivateLoader, ColdStealer, Fabookie, PseudoManuscrypt, and other malware families are among those that NullMixer has removed. It’s unknown why NullMixer operators decided to install and run every family of malware simultaneously on randomly affected PCs. The operators may choose to spread malware to gangs for profit, gain ludicrous degrees of redundancy, or inflict harm for fame.

In any event, it would be challenging for all those malware families to operate on a compromised machine without producing several signs of compromise that would alert the user to the infection. Heavy hard drive activity, increased CPU and memory usage, strange windows popping for no apparent purpose, or just a visible performance problem on the infected system are some examples of these symptoms.

Therefore, NullMixer is less of hidden danger and more of a disastrous encounter that will probably only be remedied by a Windows reinstall. Users should constantly weigh the dangers before downloading executables from shady web sources and stay away from software piracy.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.

Share: