New active campaign NullMixer hunts for users’ payment data, cryptocurrencies and social network accounts

Kaspersky researchers have uncovered a new campaign, spreading NullMixer — a malware stealing users’ credentials, address, credit card data, cryptocurrencies, and even Facebook and Amazon accounts. Trying to download cracked software from third-party sites, more than 47,500 users were attacked with NullMixer, able to spy on users, capturing any information they’re entering on the keyboard. 

NullMixer is actively distributed by cybercriminals via websites offering crack, keygen and activators for downloading software illegally. Such untrustworthy pages always pose a threat for users as instead of providing proper software, they infect victims’ devices with malware. In most cases, users receive adware or other unwanted software, but NullMixer is far more dangerous, as it can download a huge number of Trojans at once, which can lead to a large-scale infection of any computer network.

A typical infection takes place when attempting to download cracked software from one of these sites. The user is repeatedly redirected to a page containing a password-protected archived program and detailed instructions. Everything looks normal as if the user is really about to download the software they need. However, following the instructions, the victim actually launches NullMixer, which drops multiple malware files on the infected machine, including downloaders, spyware, backdoors, bankers and other threats. 

Trying to install the desired software the user also receives the detailed download instructions

Among the threat families spread via NullMixer is the infamous RedLine stealer that hunts for credit card and cryptocurrency wallet data from infected machines, as well as Disbuk, also known as Socelar. Stealing cookies from Facebook and Amazon with Disbuk, attackers can gain access to the victim's accounts from these sites, obtaining their credentials, address and even payment details.

Curiously, cybercriminals specifically used professional SEO tools in order to maintain in the first results of search engines, so they could easily be found when searching for “cracks” and “keygens” over the Internet and could target as many users as possible.

Top Google engine results for “crack software” contain malicious websites delivering NullMixer

Since the beginning of this year Kaspersky security solutions have blocked attempts to infect more than 47,500 users worldwide. Some of the most targeted countries are Brazil, India, Russia, Italy, Germany, France, Egypt, Turkey and the United States.

The geography of NullMixer’s attacks

“Any download of files from untrustworthy resources is a real game of roulette: you never know when it will fire, and which threat you will get this time. Receiving NullMixer, users get several threats at once. Any information you type on your keyboard will be available to the attackers: from messages you write to your friends on Facebook, the address you use to order on Amazon, to logins and passwords from your device or cryptocurrency accounts, and credit card data. As a result, the entire device with all your information is now in the hands of cybercriminals. Keep this in mind when you decide to download something from an unknown site, because this threat can always be avoided by using only licensed products and robust security solutions,” comments Haim Zigel, security researcher at Kaspersky.

To protect yourself from NullMixer, Kaspersky recommends:

• Only use trusted sources to download software. Malware and unwanted applications are often distributed through third-party resources where no one will check their security in the same way as official web stores do. 
• Do not download pirated software or any other illegal content, even if you are redirected to it from a legitimate website.
• A safe practice is to check your online accounts regularly for unknown transactions. Even with careful Internet surfing, downloaded spyware can steal information as it is entered on safe websites. Spyware functions like a video camera giving another user a window to each action performed on the infected computer. The owner is usually unaware that the malware is on the computer and continues to add personal information into secure, bank websites.
  Use a robust security solution. Private browsing, like in Kaspersky Internet Security, can help you avoid internet tracking and protect you from threats.