Cybercriminals have been spotted using SEO poisoning to distribute a new malware loader that tries to infect the target endpoint (opens in a new tab) with a dozen malware families.
Kaspersky researchers have found that, for many people, typing the keyword “software crack” on Google brings up many websites distributing this new malware loader, some of which even made it to the famous first page of search results. The bootloader in question is called “NullMixer” and is designed for the Windows operating system and apparently installs all kinds of password stealers, viruses, backdoors, banking Trojans, cryptocurrency miners. The only thing seemingly missing is ransomware.
Among the malware families installed in this way are Redline Stealer, Danabot, Raccoon Stealer, Vidar Stealer, SmokeLoader, PrivateLoader, ColdStealer, Fabookie, PseudoManuscrypt, and others.
Bait with cracks
Researchers believe that attackers chose “breaking software” as their main keyword because crack searchers tend to ignore warnings from their antivirus programs and install executables anyway.
According to Kaspersky, NullMixer has so far tried to infect over 47,000 endpoints protected by its security solutions. Victims were located all over the world, including the US, Germany, France, Italy, India, Russia, Brazil, Turkey, and Egypt.
Investigators were also surprised by the number of malware families being installed via NullMixer. It’s not exactly subtle. Devices that fall victim to this attack will become significantly slower, windows will appear for no reason, and show many other symptoms of infection. Kaspersky suspects that NullMixer may actually be a demonstration, showing other malware operators what it can do until someone decides to use it for their own distribution activities.
In the current situation, the best way to eliminate NullMixer from the compromised device is to reinstall Windows.
By: Hissing computer (opens in a new tab)