The Hacker News
reports that threat actors have been using cracked software to distribute the new NullMixer malware dropper, which could simultaneously deploy various trojans to enable credential, address, cryptocurrency, credit card data, and Facebook and Amazon cookie exfiltration.
Kaspersky researchers found that attacks spreading NullMixer commence with the download of cracked software from malicious sites using search engine optimization poisoning approaches, which then leads to a password-protected archive with an executable enabling malicious file delivery.
Malicious Google Chrome extension FB Stealer and various information-stealing malware, such as ColdStealer, RedLine Stealer, Raccoon Stealer, Vidar
, and PseudoManuscrypt have been found to be spread by NullMixer.
The report also showed that NullMixes was used to deploy the GCleaner, PrivateLoader, LgoogLoader, FormatLoader, ShortLoader, SgnitLoader, LegionLoader, and SmokeLoader trojan downloaders. Meanwhile, more than 47,778 NullMixer infection attempts have been blocked by Kaspersky but the malware dropper has not yet been attributed to a specific threat actor.
"Any download of files from untrustworthy resources is a real game of roulette: you never know when it will fire, and which threat you will get this time. Receiving NullMixer, users get several threats at once," said Kaspersky researcher Haim Zegel.