NullMixer campaign hunts for payment data, cryptocurrencies and social network accounts

Woburn, MA – September 26, 2022 – Kaspersky researchers have uncovered a new, active campaign spreading NullMixer, a malware that steals users’ credentials, address, credit card data, cryptocurrencies, and even Facebook and Amazon accounts. While trying to download cracked software from third-party sites, more than 47,500 users were attacked with NullMixer, which spies on users, capturing any information they’re entering with the keyboard.

NullMixer is actively distributed by cybercriminals via websites offering cracks, keygen and activators for downloading software illegally. Such untrustworthy pages always pose a threat to users that they might infect their devices with malware. In most cases, users receive adware or other unwanted software, but NullMixer is far more dangerous, as it can download a huge number of Trojans at once, which can lead to a large-scale infection of any computer network.

A typical infection takes place when a user attempts to download cracked software from one of these sites. The user is repeatedly redirected to a page containing a password-protected archived program and detailed instructions. Everything looks normal, as if the user is really about to download the software they need. However, following the instructions, the victim actually launches NullMixer, which drops multiple malware files on the infected machine, including downloaders, spyware, backdoors, bankers and other threats.

While trying to install the desired software, the user receives detailed download instructions

Among the threat families spread via NullMixer is the infamous RedLine stealer that hunts for credit card and cryptocurrency wallet data from infected machines, as well as Disbuk, also known as Socelar. Stealing cookies from Facebook and Amazon with Disbuk, attackers can gain access to the victim's accounts from these sites, obtaining their credentials, address and even payment details.

Curiously, the cybercriminals specifically used professional SEO tools in order to come up early in search engine results, so they could easily be found when searching for “cracks” and “keygens” over the Internet and could target as many users as possible.

 Top Google results for “crack software” contain malicious websites delivering NullMixer

Since the beginning of this year, Kaspersky security solutions have blocked attempts to infect more than 47,500 users worldwide. Some of the most targeted countries are Brazil, India, Russia, Italy, Germany, France, Egypt, Turkey and the United States.

The geography of NullMixer’s attacks

“Any download of files from untrustworthy resources is a real game of roulette: you never know when it will fire, and which threat you will get this time,” saidHaim Zigel, security researcher at Kaspersky. “Receiving NullMixer, users get several threats at once. Any information you type on your keyboard will be available to the attackers: from messages you write to your friends on Facebook, the address you use to order on Amazon, to logins and passwords from your device or cryptocurrency accounts, and credit card data. As a result, the entire device with all your information is now in the hands of cybercriminals. Keep this in mind when you decide to download something from an unknown site, because this threat can always be avoided by using only licensed products and robust security solutions.”

Read more about NullMixer in the full report on Securelist.

To protect yourself from NullMixer, Kaspersky recommends:

●      Only use trusted sources to download software. Malware and unwanted applications are often distributed through third-party resources where no one will check their security in the same way official web stores do.

●      Do not download pirated software or any other illegal content, even if you are redirected to it from a legitimate website.

●      A safe practice is to check your online accounts regularly for unknown transactions. Even with careful internet surfing, downloaded spyware can steal information as it is entered on safe websites. Spyware functions like a video camera giving another user a window to each action performed on the infected computer. The owner is usually unaware that the malware is on the computer and continues to add personal information into secure, bank websites.

●      Use a robust security solution. Private browsing, like in Kaspersky Internet Security, can help you avoid internet tracking and protect you from threats.

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more atusa.kaspersky.com.

Media Contact

Sawyer Van Horn

sawyer.vanhorn@Kaspersky.com

(781) 503-1866