{"id":31116,"date":"2022-10-05T22:54:54","date_gmt":"2022-10-05T11:54:54","guid":{"rendered":"https:\/\/www.kaspersky.com.au\/blog\/nullmixer-trojan-dropper\/31116\/"},"modified":"2022-10-05T22:55:06","modified_gmt":"2022-10-05T11:55:06","slug":"nullmixer-trojan-dropper","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/nullmixer-trojan-dropper\/31116\/","title":{"rendered":"NullMixer: multiple malware in one"},"content":{"rendered":"<p>Downloading pirated software is always a lottery: some get lucky, other less so: the user might end up losing even more money than they\u2019d pay for a license. We\u2019ve already talked a lot about various types of malware that hide under the guise of <a href=\"https:\/\/www.kaspersky.com\/blog\/malware-in-pirated-games-2021\/41352\/\" target=\"_blank\" rel=\"noopener nofollow\">pirated games<\/a> and spread <a href=\"https:\/\/www.kaspersky.com\/blog\/pirate-matryoshka-malware\/25905\/\" target=\"_blank\" rel=\"noopener nofollow\">through torrents<\/a>. Recently, our researchers <a href=\"https:\/\/securelist.com\/nullmixer-oodles-of-trojans-in-a-single-dropper\/107498\/\" target=\"_blank\" rel=\"nofollow noopener\">published<\/a> a new study of the NullMixer dropper \u2014 another widespread threat that users may encounter if downloading unlicensed software.<\/p>\n<h2>What are Trojan droppers? For example \u2014 NullMixer<\/h2>\n<p>\nIn simple terms, <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/trojan-droppers\/\" target=\"_blank\" rel=\"noopener\">Trojan droppers<\/a> (or just \u201cdroppers\u201d) are tools for distributing malicious software. Their main purpose is to quietly install other malware (in some cases several instances) on the user\u2019s device. Let\u2019s find out how they do it using NullMixer as an example.<\/p>\n<p>This dropper is distributed through sites promising users pirated software and <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/crack\/\" target=\"_blank\" rel=\"noopener\">cracks<\/a> (tools for breaking the protection of legitimate software). Malware developers make clever use of <a href=\"https:\/\/en.wikipedia.org\/wiki\/Search_engine_optimization\" target=\"_blank\" rel=\"nofollow noopener\">search engine optimization<\/a> (SEO) tools. For queries like \u201ccracked software\u201d or \u201ckeygens\u201d (slang for <a href=\"https:\/\/en.wikipedia.org\/wiki\/Keygen\" target=\"_blank\" rel=\"nofollow noopener\">key generator<\/a>), the malicious sites in question often appear at the top of search results.<\/p>\n<p>When trying to download pirated software from such a site, the user is redirected several times until they end up on a certain web page. On this page, they see a link to a password-protected archive and instructions on how to download and unpack it.<\/p>\n<div id=\"attachment_45727\" style=\"width: 576px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2022\/10\/05225501\/nullmixer-trojan-dropper-1.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-45727\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2022\/10\/05225501\/nullmixer-trojan-dropper-1.png\" alt=\"Archive and instructions for downloading fake pirated software\" width=\"566\" height=\"653\" class=\"size-full wp-image-45727\"><\/a><p id=\"caption-attachment-45727\" class=\"wp-caption-text\">Archive and instructions for downloading fake pirated software<\/p><\/div>\n<p>The good news is that there are no tricky mechanisms here to infect the victim\u2019s computer simply by having them visit the site. All steps \u2014 from clicking the link to downloading the malware and eventually launching it \u2014 must be completed by users themselves. If a victim smells a rat and stops, nothing will happen to the computer. Nullmixer distributors are clearly counting on creating a false sense of security: many people think that nothing bad could possibly appear on the first page of search results, and so carelessly click away and end up installing a Trojan.<\/p>\n<h2>What malware comes with NullMixer<\/h2>\n<p>\nNullMixer runs many instances of malware all at once, and more than half of them are malicious <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/downloader\/\" target=\"_blank\" rel=\"noopener\">downloaders<\/a>. That is, once launched, they plant some other thing (or more likely, things) on your system. As a result, instead of the program you want, you get a whole host of malware.<\/p>\n<p>What else comes in the package besides downloaders? A whole set of <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/trojan-psw-psw-password-stealing-ware\/\" target=\"_blank\" rel=\"noopener\">stealers<\/a> \u2014 programs that hunt for login credentials. The most infamous of these is <a href=\"https:\/\/www.kaspersky.com\/blog\/redline-stealer-self-propagates-on-youtube\/45528\/\" target=\"_blank\" rel=\"noopener nofollow\">RedLine<\/a>, which first showed up on researchers\u2019 radars in 2020 and has since become a \u201cmarket leader.\u201d It steals passwords, bank card details, cryptowallet keys, session cookies (that allow anyone to log into your accounts without passwords), and messages from IMs.<\/p>\n<p>In addition to downloaders and stealers, NullMixer victims get a couple of <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/banker-trojan-banker\/\" target=\"_blank\" rel=\"noopener\">banking Trojans<\/a>, most notably <a href=\"https:\/\/www.kaspersky.com\/blog\/attack-on-online-retail\/31786\/\" target=\"_blank\" rel=\"noopener nofollow\">DanaBot<\/a>. This one not only steals information from the device but can inject fake forms on online store or social network pages, so that victims themselves share their bank card data with it. Perhaps most importantly, DanaBot can provide its owners with full access to the infected device, allowing the attackers to do whatever they want.<\/p>\n<p>And last but not least, the NullMixer assortment also includes full-fledged spyware. The <a href=\"https:\/\/ics-cert.kaspersky.com\/publications\/reports\/2021\/12\/16\/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign\/%23kvbwoercdlcjawq6\" target=\"_blank\" rel=\"noopener\">PseudoManuscrypt Trojan<\/a> can steal user data (even when it\u2019s sent through a VPN), take screenshots, and record audio and on-screen video. Like a real spy, it can also cover its tracks: to hide its activity, PseudoManuscrypt deletes <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/log-file\/\" target=\"_blank\" rel=\"noopener\">system logs<\/a>.<\/p>\n<h2>How not to fall victim to the cybercriminals<\/h2>\n<p>\nAs we said at the start, downloading pirated software is always a risky venture. So, as ever, we recommend installing only licensed programs downloaded from official sources. If, for some reason, you are unable to purchase a full-price license, you could always look for a free alternative, use a trial version for a while, or wait for some discounts. In <a href=\"https:\/\/www.kaspersky.com\/blog\/whats-wrong-with-cheap-game-keys\/35682\/\" target=\"_blank\" rel=\"noopener nofollow\">this post<\/a>, for example, we explain how to save on games without breaking the law or risking your money or accounts.<\/p>\n<p>To make sure your device is truly secure, use a <a href=\"https:\/\/www.kaspersky.com.au\/premium?icid=au_bb2022-kdplacehd_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team___kprem___\" target=\"_blank\" rel=\"noopener\">reliable security solution<\/a> that will keep malware at bay. Our products successfully catch NullMixer itself plus all the jolly company it brings with it.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"premium-generic\">\n","protected":false},"excerpt":{"rendered":"<p>We explain how the NullMixer dropper can download numerous Trojans onto a device.<\/p>\n","protected":false},"author":2477,"featured_media":31119,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2646],"tags":[3427,3565,1521,723,113],"class_list":{"0":"post-31116","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-droppers","9":"tag-nullmixer","10":"tag-pirates","11":"tag-trojans","12":"tag-windows"},"hreflang":[{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/nullmixer-trojan-dropper\/31116\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/nullmixer-trojan-dropper\/24741\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/nullmixer-trojan-dropper\/20212\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/nullmixer-trojan-dropper\/27215\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/nullmixer-trojan-dropper\/25069\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/nullmixer-trojan-dropper\/25372\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/nullmixer-trojan-dropper\/27911\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/nullmixer-trojan-dropper\/27253\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/nullmixer-trojan-dropper\/34055\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/nullmixer-trojan-dropper\/11093\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/nullmixer-trojan-dropper\/45723\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/nullmixer-trojan-dropper\/19559\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/nullmixer-trojan-dropper\/20128\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/nullmixer-trojan-dropper\/29356\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/nullmixer-trojan-dropper\/32603\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/nullmixer-trojan-dropper\/25492\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/nullmixer-trojan-dropper\/30806\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.au\/blog\/tag\/trojans\/","name":"trojans"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/31116","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/users\/2477"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/comments?post=31116"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/31116\/revisions"}],"predecessor-version":[{"id":31118,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/31116\/revisions\/31118"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media\/31119"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media?parent=31116"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/categories?post=31116"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/tags?post=31116"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}