Threat Research

Updates from the MaaS: new threats delivered through NullMixer

Securonix

The article analyzes the March 2023 NullMixer malware operation, highlighting how opportunistic attackers used malvertising and cracked software to infect thousands of endpoints across Europe, including Italy and France. It also details a MaaS/PPI ecosystem delivering multiple loaders (CrashedLoader, Koi, and others), PowerShell stages, and memory-based C2 communications used to steal data from Windows and IoT devices. #NullMixer #Koi

Keypoints

  • 8,000+ endpoints compromised in 30 days across 87 countries, with Italy and France among the top European targets.
  • Victims predominantly run Windows 10 Pro/Enterprise and Windows Server Datacenter; some Windows Embedded devices indicate IoT exposure.
  • NullMixer bundles new loaders from MaaS and PPI operators, including CrashedLoader (CrashedTech) and the Koi loader, plus other components like PseudoManuscript code.
  • The malvertising campaign lures system administrators with cracked software (EaseUS Partition Master, Driver Easy Pro) via YouTube videos, BlogSpot, Bitly, and Mega.nz hosting.
  • Payloads include multiple loaders and information stealers (e.g., Crack.exe, KiffAppE2.exe, sqlcmd.exe, ss29.exe, lower.exe) and a PowerShell-based delivery chain.
  • Loader chains use HTTP-based C2 with ECC-based encryption, and some components operate in memory to avoid disk traces; data is exfiltrated to underground markets.
  • Several notable samples and families are described (Koi, Fabookie Stealer, Raccon Stealer, etc.), illustrating the broader MaaS ecosystem and evolving infection techniques.

MITRE Techniques

  • [T1189] Drive-by Compromise – The attack wave was designed to trick users to install backdoored, cracked versions of notorious PC maintenance software: “the identified attack wave was designed to trick users to install backdoored, cracked versions of notorious PC maintenance software such as “EaseUS Partition Master” and “Driver Easy Pro””.
  • [T1071.001] Web Protocols – C2 communications occur over HTTP, with encryption applied to the payload: “All these communications happen in plain HTTP” and “The shared secret is used to encrypt the GZipped memory stream using a xor-based algorithm in a compress-then-encrypt fashion.”
  • [T1059.001] PowerShell – The loader downloads and executes PowerShell code (debug scripts) from remote sources: “The loader downloads the PowerShell script from a Pakistani compromised WordPress site. The typical names we observed to be downloaded are ‘debug2.ps1’, ‘debug20.ps1’, ‘debug4.ps1’…”
  • [T1027] Obfuscated/Compressed Files and Information – The malware employs polymorphic loaders and encrypts memory streams; a multi-stage protection scheme protects embedded code: “multi-stage polymorphic protection scheme” and “encrypt the GZipped memory stream using a xor-based algorithm.”
  • [T1497] Virtualization/Sandbox Evasion – The loader checks for sandbox/AV emulation indicators and uses a mutex to hinder re-infection: “checks for the presence of video controller of the Wine emulation framework, along with common user names and computer names used by sandboxes or by AV emulation routines.”
  • [T1555.003] Credentials in Web Browsers – The koi/koi module steals credentials from apps and browsers (e.g., Chrome) and wallets: “information stealer functionalities such as password stealing from FileZilla, Chrome browser, and Discord, crypto-wallets stealing, …” and “2FA secrets from Twilio’s Authy local storage.”
  • [T1041] Exfiltration – Data exfiltration to underground markets: “data that are now reaching the underground black markets.”

Indicators of Compromise

  • [URL] Malvertising/Drop URLs – https://www.youtube.com/watch?v=67UdCa9AbPA, https://bit.ly/3IqujMB, and other hosting/service links (e.g., crackfinddownload.blogspot.com/2023/02/your-download-link-httpswww.html, mega.nz/file/SRgjGSpL#wDXn2ER24p_e43NwPOtQaa)
  • [Hash] File hashes – 324db70fad161852fb9a12b202b6c8ad, 53f9c2f2f1a755fc04130fd5e9fcaff4, 9725ec075e92e25ea5b6e99c35c7aa74, 6ffbbca108cfe838ca7138e381df210d, c4ffe80effddba0b8d9f82988464c5d0, 901ce391f5d25a12282e7ff436a5e62a
  • [File Name] Embeddings/Loaders – brg.exe, Crack.exe, KiffAppE2.exe, lower.exe, sqlcmd.exe, ss29.exe
  • [URL] C2 (Crashedtech loader) – http://crashedff.xyz/addnew.php, 47.90.167,104
  • [Domain/IP] C2 (Redline) – hrabrlonian,xyz:81, 45.130.151,133
  • [Domain/IP] C2 (Fabookie Stealer) – count.iiagjaggg .com, 154.221.31,191, http://34.80.59,191/win.pac, http://34.80.59,191:8183/
  • [URL] C2 (koi Stealer/Loader) – http://195.123.211,56/index.php
  • [URL] C2 (PseudoManuscrypt) – https://j.ffbbjjkk,com/25.html, https://j.ffbbjjkk,com/logo.png, https://h.ffbbhhtt,com/api6.php
  • [URL] C2 (gcleaner) – http://45.12.253,56/advertisting/plus.php, 45.12.253,56, 45.12.253,72, 45.12.253,98
  • [URL] C2 (Raccon Stealer) – http://91.201.115,148
  • [Mutex] Koi mutex – Global99759703-b8b4–4cb2–8329–76f908b004f0

Read more: https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1