Researchers at the Kaspersky Lab have found a few fraudulent websites that offer keygen, activators, crack, etc. that may instead steal data from the victim’s device. The scammers use NullMixer, a dropper that releases other malware from their infected websites. The creators of these websites are not yet found, however, researchers have detected that they are using search engine optimization (SEO) techniques to show among the top results in Google searches.
As a user looks online for websites that offer keygen or activators to have illegal access to software, it drops several malware to cause a cyber-attack on their device. These websites appear legal however contain NullMixer dropper.
What is NullMixer
The NullMixer dropper can install a number of malware that pose several security hazards and gains remote access to the device. It contains backdoors that are used to pass through security measures to make the desired cyber-attack, spyware that accesses the victim’s device or app to watch over their online activities, and a banker dropper that is a trojan downloader that gains access to stored passwords, cookies, certificates etc.
Some of the detected malware include:
- RedLine Stealer
- SmokeLoader
- Racealer
- ClipBanker
- ColdStealer
- CsdiMonetize
- Disbuk
- Fabookie
- DanaBot
- SgnitLoader
When a user finds a website they need, it opens multitudes of other pages in the form of redirects after which they finally reach the intended download where the infection begins. Users are also asked to download a password-protected ZIP file. After punching in the new password they received in the file, the installation takes place followed by the execution of the malware.
Moreover, it can also tamper with the windows defender settings which pose a threat to the device if its antivirus capabilities are stopped. To do so, it uses this command line –
“cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set- MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable”
Avoid using keygen and activators
The only consolation is that NullMixer relies on user action to execute. It is best to avoid seeking illegitimate access to software because NullMixer can cause more damage than good from stealing credentials to cryptocurrency wallets. It cannot infect a machine unless the victim clicks and downloads a password-protected ZIP or RAR archive which is placed in a keygen offering, illegitimate website. These files contain malware that depends on the user’s action to extract and execute it. This file is found to be ‘win-setup-i864.exe’ which is downloaded from the password-protected archive.