Spyware NullMixer preys on payment data, cryptocurrencies and social network user accounts

Kaspersky experts have identified a new cybercriminal campaign distributed by the NullMixer spyware. This malware can steal user's login credentials, addresses, credit card details, cryptocurrencies and even Facebook and Amazon accounts by collecting all information typed on keyboard.

More than 47,500 users got infected with NullMixer while trying to download cracked software from third party sites. In Germany, 1,100 users were affected in the first half of the year, 143 cases in Austria and 117 in Switzerland. NullMixer is actively distributed by cyber criminals using websites offering cracks, keygens and activators for illegal software download. Such untrustworthy sites always pose a threat as they often infect victims' devices with malware instead of actually downloading any software. In most cases, users get adware or other unwanted software; However, NullMixer is far more dangerous as the malware can download large number of trojans. In the worst case, this leads to a large-scale infection of the computer network.

Subtle, multifunctional compromise tactics

The typical route of infection is by attempting to download cracked software from one of these websites. The user is repeatedly redirected to a page containing a password-protected, archived program and detailed instructions. Everything within this process looks completely ordinary, as if the user is really in the process of downloading the software they want. However, following the instructions now leads to NullMixer activation which drops multiple malware files on the infected computer including downloaders, spyware, backdoors, banking malware or other types of threats. Threat families spreading via NullMixer include the notorious RedLine stealer, which targets credit card and cryptocurrency wallet data on infected machines, and Disbuk, also known as Socelar.

By stealing cookies from Facebook and Amazon with Disbuk, cyber criminals gain access to their victims' accounts, obtaining their login credentials, addresses, and even payment details. To lure potential victims, cyber criminals use professional SEO tools to appear in the first search engine results. When searching for "cracks" and "keygens" on the Internet, these websites are then easy to find and as many users as possible are reached. Since the beginning of this year, Kaspersky security solutions have blocked more than 47,500 infection attempts worldwide. Some of the hardest hit countries are Brazil, India, Russia, Italy, Germany, France, Egypt, Turkey and the US. With 1,100 attacked users, Germany is in the top 10 most attacked countries; Austria has 143 cases, Switzerland 117. "Every download from untrustworthy sources is a roulette game," emphasizes Haim Zigel, security researcher at Kaspersky. "You never know where a threat is lurking and when it will attack your own IT infrastructure.", so please be advised to use of the trustful anti-malware solution while surfing.

With NullMixer, users face multiple threats at once. Any information they type on their keyboard is available to the attackers: from messages they write to friends on Facebook, to the address they use to order from Amazon, to their device logins and passwords, or cryptocurrency accounts and credit card details. This leaves the entire device with all sensitive information in the hands of cyber criminals. Therefore, only licensed products should be downloaded and additional robust security solutions should be used.”