Kaspersky security researchers spotted a new series of campaigns focused on the malicious tool they named NullMixer.
According to a notice released by the company earlier today, NullMixer spreads malware through malicious websites that can be easily found through popular search engines including Google.
“These websites are often linked with crack, keygen and activators to illegally download software, and although they may pretend to be legitimate software, they actually contain a dropper of malware,” reads the opinion.
The researchers further explained that when users try to download software from one of these sites, they are redirected several times and end up landing on a page with download instructions next to archived malware. password protected acting as the desired software tool.
When a user extracts and runs NullMixer, however, the malware drops several malicious files on the compromised machine.
“These malware families may include backdoors, bankers, credential stealers, etc.,” Kaspersky wrote. “For example, the following families are among those discontinued by NullMixer: SmokeLoader/Smoke, LgoogLoader, Disbuk, RedLine, Fabookie, ColdStealer.”
At the time of writing, security researchers said that in 2022 alone, they blocked infection attempts from more than 47,778 victims worldwide, located primarily in Brazil, India, Russia, in Italy, Germany, France, Egypt, Turkey and the United States.
Kaspersky also clarified that they are currently unable to attribute NullMixer to any specific group or threat actor.
More generally, the cybersecurity company warned individuals against trying to save money by using unlicensed software.
“A single file downloaded from an untrusted source can result in a large-scale infection of a computer system,” the company wrote.
Several malware families dropped by NullMixer are classified by the company and the general security community as Trojan downloaders. This suggests that the infections may not be limited to the malware families described in the report.
“Many of the other malware families mentioned here are thieves, and compromised credentials can be used for other attacks inside a local network.”
The report comes weeks after the FBI warned cybercriminals are increasingly hijacking home IP addresses to mask credential stuffing activities and increase their chances of success.