Cybercriminals have been observed using SEO poisoning to distribute a new malware loader that attempts to infect the target device (opens in a new tab) with a dozen malware families.
Kaspersky researchers found that for many people, typing the keyword "software crack" into Google brings up several websites distributing this new malware loader, some of which even made it to the famous first page of search results. . The loader in question is called "NullMixer", and it is designed for the Windows operating system and apparently installs all kinds of password stealers, viruses, backdoors, banking Trojans, cryptominers, etc. The only thing apparently missing is the ransomware.
Malware families installed this way include Redline Stealer, Danabot, Raccoon Stealer, Vidar Stealer, SmokeLoader, PrivateLoader, ColdStealer, Fabookie, PseudoManuscrypt, and others.
cracked bait
The attackers chose "software crack" as their primary keyword, the researchers said, because people looking for cracks typically ignore warnings from their antivirus programs and install the executable files anyway.
According to Kaspersky, NullMixer has so far attempted to infect more than 47 endpoints protected by its security solutions. The victims were located all over the world, including the United States, Germany, France, Italy, India, Russia, Brazil, Turkey, and Egypt.
The researchers were also puzzled by the number of malware families installed through NullMixer. It's not really subtle. Devices that fall victim to this attack become significantly slower, have windows that open for no reason, and display many other symptoms of infection. Kaspersky suspects that NullMixer could actually be a demo, showing other malware operators what it's capable of, until one decides to use it for their own distribution efforts.
As it stands, the best way to remove NullMixer from a compromised device is to reinstall Windows.
Via: BleepingComputer (Opens in a new tab)