We’re in the season of aggressive malware campaigns, evident by the increased number of attacks detected and analyzed by security researchers. One specific type of malware is especially important to carrying out successful distribution campaigns – the dropper.
NullMixer is an example of a new dropper that aids the installation of a range of other trojans. The dropper was recently discovered by Kaspersky’s Secure List threat-hunting team.
So, what should you know about NullMixer’s capabilities and infection path?
NullMixer: Technical Overview
First of all, it should be mentioned that the dropper leads to an infection chain of several malware families. The initial infection is based on user execution. In other words, the potential victim needs to interact with a malicious link and download a password-protected ZIP/RAR archive with a malicious file that is extracted and executed manually. The distribution takes place on cracked software websites. The malware operators rely on SEO tricks to appear higher in search results, thus increasing the chance of a successful infection.
How Does an Infection with NullMixer Happen?
First, the user should visit one of the cracked software websites deployed for the distribution of NullMixer. The next steps are the following:
- The user clicks on the download link for the desired software.
- The link redirects the user to another malicious website.
- The malicious website redirects the user to a third-party IP address webpage.
- The webpage instructs the user to download a password-protected ZIP file from a file sharing website.
- The user extracts the archived file with the password.
- The user runs the installer and executes the malware.
The actual infection occurs upon extracting the win-setup-i864.exe file from the downloaded password-protected archive, and then running it.
What Is win-setup-i864.exe?
Win-setup-i864.exe is an NSIS (Nullsoft Scriptable Install System) installation program quite popular among software developers. Unfortunately, malware developers also take advantage of this executable. In this case, it dropped and launched another file called setup_installer.exe, an SFX archive wrapper into a Windows executable.
It is in fact the setup_installer.exe that drops numerous malicious files. However, rather than launching all of them, the dropper launches a single executable which is the starter component of NullMixer.
“NullMixer’s starter launches all the dropped executable files. To do so, it contains a list of hardcoded file names, and launches them one by one using ‘cmd.exe’,” the report said.
What Malware Does NullMixer Drop?
The list of associated malware families contains malware loaders, infostealers, clipping malware, pay-per-install and adware, such as SmokeLoader, RedLine stealer, PseudoManuscrypt, ColdStealer, CsdiMonetize, Disbuk, Fabookie, DanaBot, Generic.ClipBanker, SgnitLoader, ShortLoader, Downloader.INNO, LgoogLoader, Downloader.Bitser, C-Joker, PrivateLoader, Satacom, GCleaner, Vidar.
“Since the beginning of the year we’ve blocked attempts to infect more than 47,778 victims worldwide. Some of the most targeted countries are Brazil, India, Russia, Italy, Germany, France, Egypt, Turkey and the United States,” the report added.