Researchers from Kaspersky have uncovered a new campaign, spreading malware that steals users’ credentials, addresses, credit card data, crypto-currencies, and even Facebook and Amazon accounts.
Dubbed NullMixer, the malware is actively distributed by cybercriminals via Web sites that sell crack, keygen and activators used for downloading software illegally.
Some 47 500 users attempting to download cracked software from third-party sites, were attacked with NullMixer, which is able to spy on users, capturing any information they’re entering on the keyboard.
Kaspersky warns that pages selling nefarious tools always pose a threat, because instead of providing legitimate software, they infect victims’ devices with malicious code, and often lead to adware and other unwanted software.
However, NullMixer is far more dangerous, as it can download a large number of Trojans at once, which can lead to a massive-scale infection of any computer network, the company says,
“A typical infection takes place when attempting to download cracked software from one of these sites. The user is repeatedly redirected to a page containing a password-protected archived program and detailed instructions. Everything looks normal as if the user is really about to download the software they need,” says Kaspersky.
Once the user has followed the instructions, NullMixer is launched drops multiple malware files on the victim’s machine, including downloaders, spyware, backdoors, banking Trojans and other threats.
Among the threat families spread via NullMixer is the notorious RedLine stealer that hunts for credit card and crypto-currency wallet data from infected machines, as well as Disbuk, also known as Socelar.
By stealing cookies from Facebook and Amazon with Disbuk, threat actors can gain access to the victim’s accounts from these sites, obtaining their credentials, address, and even payment details.
According to Kaspersky, the bad actors specifically used professional SEO tools in order to remain in the top results in search engines, so they could easily be found when searching for “cracks” and “keygens” over the Internet, as this ensures they can target as many users as possible.
Haim Zigel, a security researcher at Kaspersky, describes downloading files from untrustworthy resources as like playing Russian roulette. “You never know when it will fire, and which threat you will get this time.”
He says with NullMixer, users have a smorgasbord of threats at once. “Any information you type on your keyboard will be available to the attackers: from messages you write to your friends on Facebook, the address you use to order on Amazon, to logins and passwords from your device or crypto-currency accounts, and credit card data.”
As a result, he says the entire device with all the user’s information is now in the hands of malefactors. “Keep this in mind when you decide to download something from an unknown site because this threat can always be avoided by using only licensed products and robust security solutions.”