HQ/EMEAFind out how we can help your business
Researchers discovered a new malicious operation that uses the NullMixer package to launch polymorphic loaders. This widespread campaign targets data in dark web markets and provides access to servers and networks to third-party consumers, like ransomware actors.
Based on reports, the operation started at the beginning of this month and has already compromised over 8,000 targets worldwide. The threat actors have targeted nearly 90 countries and infected about 297 new victims daily.
The most infected organisations came from North America, Latin America, and some European countries.
The NullMixer operators use a Search Engine Optimisation poisoning strategy.
According to investigations, the NullMixer actors used social engineering tactics to bait targets, such as technocrats and IT staff. The operation deceives system admins into installing compromised software, including a cracked IT management software version.
Furthermore, the adversaries use several YouTube videos for advertising their compromised software solutions. One of the software solutions is inside a URL that hides behind a URL shortener service.
The initial payloads deployed by the NullMixer attack include a WinRAR executable file with auto-executable binaries. In addition, these archives contain multiple off-the-shelf infostealer and loader malware strains.
The confirmed loaders for these newly discovered attacks are the PseudoManuscrypt loader, RacconStealer, GCleaner spyware, Koi info-stealer, Crashtech Loader, and Fabookie wallet stealer.
These stealers have different capabilities that allow the threat operators to execute malicious attacks depending on their targets. Moreover, the threat actors could alter their attack operations based on their used payloads. Currently, organisations from North America have been the most affected region as the threat actors targeted numerous organisations in the United States.
However, countries worldwide should also be wary of these attacks as the campaign reaches different countries globally, and the threat actors could use various malicious tools.
The NullMixer operators use it as a tool to deploy different third-party malware strains. This detail implies that the threat actors could have included new affiliates in their attacks. Therefore, security researchers should analyse the threat actors’ TTPs to stay one step ahead against the current malicious operation.
