On Monday, researchers at Kaspersky announced the discovery of a malware called NullMixer being distributed via websites pretending to host cracked software. NullMixer primarily works as a dropper, dropping over a dozen malicious binaries that have a multitude of functions, such as infostealers, backdoors, trojan downloaders, and cryptocurrency wallet stealers. The websites hosting NullMixer use Search Engine Optimization (SEO) poisoning to elevate their position on search engine result pages, bumping down more “legitimate” pages. The following are among the binaries dropped onto compromised systems:
- FB Stealer – Facebook Credential Harvesting
- DanaBot – Banking/Infostealer
- ColdStealer – Infostealer
- PseudoManuscrypt – Infostealer
- Raccoon Stealer – Infostealer
- Redline Stealer – Infostealer
- Vidar – Infostealer
- FormatLoader – Trojan Downloader
- GCleaner – Trojan Downloader
- LegionLoader (Satacom) – Trojan Downloader
- LgoogLoader – Trojan Downloader
- PrivateLoader – Trojan Downloader
- SgnitLoader – Trojan Downloader
- ShortLoader – Trojan Downloader
- SmokeLoader – Trojan Downloader
- C-Joker – Cryptocurrency Wallet Stealer
Analyst Notes
Companies have several options to combat a campaign like this. Web proxies can be used to block access to web pages based on reputation or content, and can enable users to report false positives via ticketing systems to reduce impact to valid use. Companies can also use application allow-listing to prevent execution of unwanted executables. Many EDR solutions, when configured properly, can detect and block the loading of malicious software as well.
As a general rule, companies should control what applications are authorized on endpoints in order to reduce attack surface area and limit patching overhead. However, policies governing this should be supported by a strong application request process that enables users to identify applications that will help with the performance of their job functions, research and test the applications, and integrate them into the appropriate endpoints and patching schedule. Quick response times discourage rogue downloading of software, which is the primary mechanism of this campaign.
https://thehackernews.com/2022/09/new-nullmixer-malware-campaign-stealing.html
