Threat Research

NullMixer drops Redline Stealer, SmokeLoader and other malware

Securonix

NullMixer acts as a dropper delivering a wide range of malware families by redirecting users from cracked software sites through SEO-driven pages. It drops numerous trojans and stealers, including SmokeLoader, RedLine Stealer, PseudoManuscrypt, ColdStealer, and more, via a multi-stage infection chain. hashtags: #NullMixer #SmokeLoader #RedLine #PseudoManuscrypt #ColdStealer #LgoogLoader #Disbuk #Fabookie

Keypoints

  • NullMixer is a dropper that delivers a wide variety of malware families by exploiting users seeking cracked software downloaded from SEO-optimized sites.
  • The initial infection relies on User Execution, where a user clicks a malicious link and opens a password-protected archive that is extracted and run.
  • The dropper uses NSIS installation flow with a “starter” component that launches many dropped binaries via cmd.exe, and it even attempts to disable Defender via PowerShell commands.
  • Dropped malware families include backdoors, bankers, downloaders, and stealers such as SmokeLoader, RedLine, PseudoManuscrypt, ColdStealer, DanaBot, and others, each with distinct capabilities.
  • NullMixer employs multiple loader/ downloader families (FormatLoader, SgnitLoader, ShortLoader, LgoogLoader, Downloader.Bitser, Downloader.INNO, etc.) to fetch and execute payloads.
  • Victims span many countries, with thousands blocked; Brazil, India, Russia, Italy, Germany, France, Egypt, Turkey, and the United States are notably impacted.
  • Attribution remains uncertain, and the campaign highlights how pay-per-install and data theft can propagate across networks.

MITRE Techniques

  • [T1204] User Execution – The infection vector is based on a ‘User Execution’ malicious link that requires the end user to click on and download a password-protected ZIP/RAR archive with a malicious file that is extracted and executed manually. ‘The infection vector of NullMixer is based on a ‘User Execution’ (MITRE Technique: T1204) malicious link that requires the end user to click on and download a password-protected ZIP/RAR archive with a malicious file that is extracted and executed manually.’
  • [T1189] Drive-by Compromise – Users visit malicious sites promoted via SEO and are redirected through multiple steps to download malware. ‘Top Google search engine results for “crack software” contain malicious websites delivering NullMixer’
  • [T1059.001] PowerShell – The malware uses a PowerShell command to disable real-time protection during the installation: ‘cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set- MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable’
  • [T1059.003] Windows Command Shell – The starter component launches all dropped executables via cmd.exe, enabling the execution chain.
  • [T1555.003] Credentials from Web Browsers – Several dropped families steal browser credentials and data (e.g., cookies, autofill, payment data) from multiple browsers.
  • [T1056.001] Keylogging – Some modules perform keylogging and credential harvesting as part of stealing sensitive user data.
  • [T1115] Clipboard Data – Generic.ClipBanker includes clipboard hijacking to replace cryptocurrency addresses during transfers.
  • [T1021.005] Virtual Network Computing (VNC) – Some components provide remote access capabilities via VNC, enabling remote control of infected hosts.
  • [T1071.004] Application Layer Protocol: DNS – Satacom uses DNS TXT queries to retrieve C2 addresses (e.g., ‘reosio.com’) and decodes a base64 string to obtain the real C2 URL.
  • [T1059.001] PowerShell (additional) – Several loader components invoke PowerShell-based actions as part of defense evasion and payload deployment.

Indicators of Compromise

  • [URL] Malicious URLs – hxxps://signaturebusinesspark[.]com/360/fw3.exe, hxxps://signaturebusinesspark[.]com/360/fw4.exe, and other items
  • [Domain] C2/distribution domains – presstheme.me, signaturebusinesspark[.]com, and other domains
  • [IP] C2/download sources – 137.184.159.42, 185.186.142.166, and other IPs
  • [Hash] Malicious file hashes – 06B31367D65A411B1F2A7B3091FB31D4, D91325640F392D33409B8F1B2315B97C, and 1 more hash
  • [Hash] Additional hashes across families – 4EC312D77817D8FB90403FF87B88D5E3, CC722FD0BD387CF472350DC2DD7DDD1E, and 1 more
  • [File Name] Dropped/executed binaries – win-setup-i864.exe, setup_installer.exe, dllhostwin.exe, and others

Read more: https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint