Cybercriminals have been observed using SEO poisoning to distribute a new malware loader which tries to infect the target endpoint with a dozen malware families.
Researchers from Kaspersky discovered that for many people, typing the keyword “software crack” into Google brings up multiple websites distributing this new malware loader, some of which have even made it to the famed first page of the search results. The loader in question is called “NullMixer”, and is designed for the Windows operating system and apparently, it installs all kinds of password stealers, viruses, backdoors, banking trojans, crypto miners, you name it. The only thing seemingly missing is ransomware.
Among the malware families installed this way are Redline Stealer, Danabot, Raccoon Stealer, Vidar Stealer, SmokeLoader, PrivateLoader, ColdStealer, Fabookie, PseudoManuscrypt, and others.
Baiting with cracks
The attackers chose “software crack” as their main keyword, researchers believe, due to the fact that people looking for cracks will usually ignore warnings coming from their antivirus programs and install the executable files anyway.
According to Kaspersky, NullMixer has so far tried to infect more than 47,000 endpoints protected by its security solutions. The victims were located all over the world, including the U.S., Germany, France, Italy, India, Russia, Brazil, Turkey, and Egypt.
The researchers were also baffled by the number of malware families being installed via NullMixer. It’s not exactly subtle. Devices that fall victim to this attack will become significantly slower, have windows popping up for no reason, and will showcase numerous other symptoms of infection. Kaspersky suspects that NullMixer could actually be a demonstration, showing other malware operators what it’s capable of doing, until one decides to use it for their own distribution efforts.
As things stand now, the best way to eliminate NullMixer from a compromised device is via a Windows reinstall.
- Check out the best firewalls right now