New malware NullMixer hunts for users’ payment data, cryptocurrencies, social network accounts

/in


Kaspersky researchers have uncovered a new campaign, spreading NullMixer — a malware stealing users’ credentials, addresses, credit card data, cryptocurrencies, and even Facebook and Amazon accounts. Trying to download cracked software from third-party sites, more than 47,500 users were attacked with NullMixer, able to spy on users, capturing any information they’re entering on the keyboard.

NullMixer is actively distributed by cybercriminals via websites offering crack, keygen and activators for downloading software illegally. Such untrustworthy pages always pose a threat for users as instead of providing proper software, they infect victims’ devices with malware. In most cases, users receive adware or other unwanted software, but NullMixer is far more dangerous, as it can download a huge number of Trojans at once, which can lead to a large-scale infection of any computer network.

A typical infection takes place when attempting to download cracked software from one of these sites. The user is repeatedly redirected to a page containing a password-protected archived program and detailed instructions. Everything looks normal as if the user is really about to download the software they need. However, following the instructions, the victim actually launches NullMixer, which drops multiple malware files on the infected machine, including downloaders, spyware, backdoors, bankers and other threats.

Trying to install the desired software the user also receives the detailed download instructions
Trying to install the desired software the user also receives the detailed download instructions

Among the threat families spread via NullMixer is the infamous RedLine stealer that hunts for credit card and cryptocurrency wallet data from infected machines, as well as Disbuk, also known as Socelar. Stealing cookies from Facebook and Amazon with Disbuk, attackers can gain access to the victim’s accounts from these sites, obtaining their credentials, addresses and even payment details.

Curiously, cybercriminals specifically used professional SEO tools in order to maintain the first results of search engines, so they could easily be found when searching for “cracks” and “keygens” over the Internet and could target as many users as possible.

Top Google engine results for “crack software” contain malicious websites delivering NullMixer
Top Google engine results…

Source…