It's only after a user clicks a malicious link, downloads the malware, and then launches it that NullMixer is deployed. But once the dropper infects a victim's system, it deploys a whole bunch of bad malware, from spyware to Trojans.
The multihyphenated malware threat lurks among sites promising licensed software workarounds and fake security key generators, according to Kaspersky, which just published a report on NullMixer.
The malicious domains appear legitimate to users because those sites have found their way up to the first page of the Google search rankings for keywords like "cracked software" and "keygen," using advanced search engine optimization (SEO) tools, Kasperky said. Unfortunately, it's not just home users at risk — thanks to the work-from-home phenomenon and people using personal devices for work purposes, the danger to companies from these kinds of threats is clear and present.
"NullMixer runs many instances of malware all at once, and more than half of them are malicious downloaders," the Kaspersky report said. "That is, once launched, they plant some other thing (or more likely, things) on your system. As a result, instead of the program you want, you get a whole host of malware."
Banking Trojans like DanaBot, a set of stealers including RedLine, and spyware, notably the PseudoManuscrypt Trojan, are just a few of the types of malware the NullMixer dropper is carrying, the report explained.
"As we said at the start, downloading pirated software is always a risky venture," Kaspersky stressed in the NullMixer brief.