A new dropper named “NullMixer” is spreading multiple malware families, including some seen regularly by the RH-ISAC community.
Context
On September 26, 2022, researchers at SecureList reported a new dropper they named “NullMixer” which spreads multiple malware families via malicious websites impersonating legitimate software downloads. According to SecureList, in addition to multiple malware families, NullMixer also drops a wide variety of malicious binaries including backdoors, bankers, downloaders, and spyware.
Community Impact
According to SecureList, the malware families being spread by NullMixer:
- SmokeLoader
- RedLine Stealer
- PseudoManuscrypt
- ColdStealer
- FormatLoader
- CsdiMonetize
- DanaBot
- Disbuk
- Fabookie
- GCleaner
- LgoogLoader
- PrivateLoader
- Racealer
- Satacom
- SgnitLoader
- ShortLoader
- Vidar
Several of these malware are familiar to the retail, hospitality, and travel communities. As such, organizations are encouraged to maintain awareness around the tactics, techniques, and procedures used by NullMixer to drop malware, as well as ingest the indicators of compromise (IOCs) provided here.
Technical Details
SecureList researchers provided the following infection chain for NullMixer, which is based on user execution (MITRE Technique T1204):
- The user visits a website to download cracked software, keygens or activators. The campaign appears to target anyone looking to download cracked software, and uses SEO techniques to make these malicious sites more prominent at the top of search engine results.
- The user clicks on the download link for the desired software.
- The link redirects the user to another malicious website.
- The malicious website redirects the user to a third-party IP address webpage.
- The webpage instructs the user to download a password-protected ZIP file from a file sharing website.
- The user extracts the archived file with the password.
- The user runs the installer and executes the malware.
IOCs
Securelist researchers provided the following IOCs:
| Indicator | Type | Notes |
| hxxps://azilominehostz[.]xyz/ | Domain | Malicious URL |
| hxxps://patchlinks[.]com/ | Domain | Malicious URL |
| hxxp://137[.]184[.]159[.]42/ | Domain | Malicious URL |
| hxxp://185[.]186[.]142[.]166/wallet[.]exe | Domain | Malicious URL |
| hxxps://dll1[.]stdcdn[.]com/ | Domain | Malicious URL |
| hxxp://tg8[.]cllgxx[.]com/hp8/g1/yrpp1047[.]exe | Domain | Malicious URL |
| hxxp://eurekabike[.]com/pmzero/design/img/LightCleaner9252839[.]exe | Domain | Malicious URL |
| hxxps://i[.]xyzgamei[.]com/gamexyz/2201/random[.]exe | Domain | Malicious URL |
| hxxp://www[.]sxhxrj[.]com/askhelp35/askinstall35[.]exe | Domain | Malicious URL |
| hxxps://presstheme[.]me/ | Domain | Malicious URL |
| hxxp://remviagra[.]com/pub1[.]exe | Domain | Malicious URL |
| hxxp://privacy-tools-for-you-782[.]com/downloads/toolspab2[.]exe | Domain | Malicious URL |
| hxxps://cdn[.]discordapp[.]com/attachments/917889480646590537/935966171835031612/Cube_WW6[.]exe | Domain | Malicious URL |
| hxxp://onlinehueplet[.]com/77_1[.]exe | Domain | Malicious URL |
| hxxps://cdn[.]discordapp[.]com/attachments/934006169125679147/943432754161410108/WW19[.]exe | Domain | Malicious URL |
| hxxp://privacy-tools-for-you-791[.]com/downloads/toolspab1[.]exe | Domain | Malicious URL |
| hxxps://cdn[.]discordapp[.]com/attachments/917889480646590537/943130993404018709/Fixtools[.]exe | Domain | Malicious URL |
| hxxp://stylesheet[.]faseaegasdfase[.]com/hp8/g1/rtst1051[.]exe | Domain | Malicious URL |
| hxxp://104[.]168[.]215[.]231/kde[.]exe | Domain | Malicious URL |
| hxxp://careerguide4u[.]online/wp-content/plugins/google-analytics-for-wordpress/BlackCleanerSetp521234[.]exe | Domain | Malicious URL |
| hxxps://i[.]xyzgamei[.]com/gamexyz/2203/random[.]exe | Domain | Malicious URL |
| hххp://zenitsu[.]s3[.]pl-waw[.]scw[.]cloud/pub-summoning/poweroff[.]exe | Domain | Malicious URL |
| hххps://tengenuzui[.]s3[.]pl-waw[.]scw[.]cloud/makio/cpm_pr_vp46up4d6j_[.]exe | Domain | Malicious URL |
| hххps://tengenuzui[.]s3[.]pl-waw[.]scw[.]cloud/makio/updto_bgn64wau5x_date[.]exe | Domain | Malicious URL |
| hххps://tengenuzui[.]s3[.]pl-waw[.]scw[.]cloud/makio/handler_wbba4vzm89rxskhs[.]exe | Domain | Malicious URL |
| hxxps://i[.]xyzgamei[.]com/gamexyz/25/random[.]exe | Domain | Malicious URL |
| hххps://v[.]xyzgamev[.]com/25[.]html | Domain | Malicious URL |
| hххps://v[.]xyzgamev[.]com/login[.]html | Domain | Malicious URL |
| hxxp://jackytpload[.]su/campaign6/autosubplayer[.]exe | Domain | Malicious URL |
| hxxps://gc-distribution[.]biz/pub[.]php?pub=five | Domain | Malicious URL |
| hxxp://www[.]sxhxrj[.]com/askhelp42/askinstall42[.]exe | Domain | Malicious URL |
| hxxps://flexnetinformatica[.]com[.]br/wp-content/plugins/elementor/assets/LightCleaner2132113[.]exe | Domain | Malicious URL |
| hxxp://stylesheet[.]faseaegasdfase[.]com\/hp8/g1/siww1053[.]exe | Domain | Malicious URL |
| hxxps://source3[.]boys4dayz[.]com/installer[.]exe | Domain | Malicious URL |
| hxxps://signaturebusinesspark[.]com/360/fw3[.]exe | Domain | Malicious URL |
| hxxps://signaturebusinesspark[.]com/360/fw4[.]exe | Domain | Malicious URL |
| hxxps://signaturebusinesspark[.]com/360/fw6[.]exe | Domain | Malicious URL |
| hxxps://cdn[.]discordapp[.]com/attachments/937783814208491553/937784072967692368/SecondFile[.]exe | Domain | Malicious URL |
| hххps://v[.]xyzgamev[.]com/23[.]html | Domain | Malicious URL |
| hххps://v[.]xyzgamev[.]com/login[.]html | Domain | Malicious URL |
| 178.62.113[.]205/runtermo | Domain | Malware C2 |
| 185.163.204[.]22/runtermo | Domain | Malware C2 |
| 185.163.45[.]70/runtermo | Domain | Malware C2 |
| 185.186.142[.]166 | Domain | Malware C2 |
| 185.215.113[.]10 | Domain | Malware C2 |
| 185.38.142[.]132 | Domain | Malware C2 |
| 212.193.30[.]21/base/api/ | Domain | Malware C2 |
| 212.193.30[.]45/proxies.txt | Domain | Malware C2 |
| 5.9.224[.]217 | Domain | Malware C2 |
| 92.255.57[.]115 | Domain | Malware C2 |
| ads-memory[.]biz | Domain | Malware C2 |
| all-mobile-pa1ments.com[.]mx | Domain | Malware C2 |
| all-smart-green[.]com | Domain | Malware C2 |
| am1420wbec[.]com/upload/ | Domain | Malware C2 |
| appwebstat[.]biz | Domain | Malware C2 |
| banhamm[.]com | Domain | Malware C2 |
| buy-fantasy-fo0tball.com[.]sg | Domain | Malware C2 |
| buy-fantasy-gmes.com[.]sg | Domain | Malware C2 |
| connectini[.]net | Domain | Malware C2 |
| dll1.stdcdn[.]com | Domain | Malware C2 |
| dollybuster[.]at/upload/ | Domain | Malware C2 |
| egsagl[.]com/upload/ | Domain | Malware C2 |
| enter-me[.]xyz | Domain | Malware C2 |
| fennsports[.]com/upload/ | Domain | Malware C2 |
| file-coin-host-12[.]com | Domain | Malware C2 |
| ginta[.]link | Domain | Malware C2 |
| hhiuew33[.]com/check/safe | Domain | Malware C2 |
| host-data-coin-11[.]com | Domain | Malware C2 |
| islamic-city[.]com/upload/ | Domain | Malware C2 |
| mordo[.]ru/upload/ | Domain | Malware C2 |
| nahbleiben[.]at/upload/ | Domain | Malware C2 |
| noblecreativeaz[.]com/upload/ | Domain | Malware C2 |
| one-wedding-film[.]com | Domain | Malware C2 |
| piratia-life[.]ru/upload/ | Domain | Malware C2 |
| presstheme[.]me | Domain | Malware C2 |
| real-enter-solutions[.]xyz | Domain | Malware C2 |
| recmaster[.]ru/upload/ | Domain | Malware C2 |
| remik-franchise[.]ru/upload/ | Domain | Malware C2 |
| reoseio[.]com | Domain | Malware C2 |
| signaturebusinesspark[.]com | Domain | Malware C2 |
| sovels[.]ru/upload/ | Domain | Malware C2 |
| spaldingcompanies[.]com/upload/ | Domain | Malware C2 |
| toa.mygametoa[.]com | Domain | Malware C2 |
| topexpertshop[.]com | Domain | Malware C2 |
| topniemannpicksh0p[.]cc | Domain | Malware C2 |
| tvqaq[.]cn/upload/ | Domain | Malware C2 |
| whsddzs[.]com/Home/Index/djksye | Domain | Malware C2 |
| 06B31367D65A411B1F2A7B3091FB31D4 | Hash | Coldstealer |
| 584B186152A16161E502816BF990747C | Hash | Coldstealer |
| C41A85123AF144790520F502FE190110 | Hash | Coldstealer |
| 5B14369C347439BECACAA0883C07F17B | Hash | CsdiMonetize |
| 7E58613DDB2FDD10EED17BBCE5B3E0A9 | Hash | CsdiMonetize |
| 883403C940B477CEE083EFEEA8C252C6 | Hash | CsdiMonetize |
| 98F0556A846F223352DA516AF66FA1A0 | Hash | CsdiMonetize |
| CEADA3798FD16FAC13F053D0C6F4D198 | Hash | CsdiMonetize |
| D91325640F392D33409B8F1B2315B97C | Hash | DanaBot |
| 3739256794EBF9BA8C6597A4687C8799 | Hash | Disbuk |
| FBD3940D1AD28166D8539EAE23D44D5B | Hash | Disbuk |
| AAEFF1F8E7BD3A81C69C472BCD211A7B | Hash | Downloader.Bitser |
| E65BF2D56FCAA18C1A8D0D481072DC62 | Hash | Downloader.INNO |
| 33F7383C2EB9B20E11E6A149AA62DEA4 | Hash | Fabookie |
| 79400B1FD740D9CB7EC7C2C2E9A7D618 | Hash | Fabookie |
| B8ECEC542A07067A193637269973C2E8 | Hash | FormatLoader |
| 42100BAF34C4B1B0E89F1C2EF94CF8F8 | Hash | GCleaner |
| 4D75DEA49F6BD60F725FAE9C28CD0960 | Hash | Generic.ClipBanker |
| CC722FD0BD387CF472350DC2DD7DDD1E | Hash | LgoogLoader |
| 4008D7F17A08EFD3FBD18E4E1BA29E00 | Hash | LgoogLoader |
| B2A2F85B4201446B23A250F68051B4DC | Hash | LgoogLoader |
| 4EC312D77817D8FB90403FF87B88D5E3 | Hash | NullMixer |
| 12DBC75B071077042C097AFD59B2137F | Hash | NullMixer |
| F94BF1734F34665A65A835CC04A4AD95 | Hash | NullMixer |
| 362592241E15293C68D0F24468723BBB | Hash | PrivateLoader |
| 7875AAB3E23F885DF12FF62D9EF5DB50 | Hash | PrivateLoader |
| B0448525C5A00135BB5B658CC6745574 | Hash | PseudoManuscrypt |
| D5C1C44D19D8D6E8C0F739CAB439E45E | Hash | PseudoManuscrypt |
| 4FEBA8683DAA18545E9F9408E4CD07BD | Hash | Racealer |
| 446119332738133D3ECD2D00EBE5D0EC | Hash | RedLine |
| 5994DE41D8B4ED3BBB4F870A33CB839A | Hash | RedLine |
| 9F8800BF866E944EFB2034EC56ED574E | Hash | RedLine |
| AC458CABFED224353545707DF966A2BA | Hash | RedLine |
| AF817AAD791628143019FFDE530D0EF7 | Hash | RedLine |
| 2086E25FB651F0A8D713024DE2168B9B | Hash | Satacom |
| B2620FFE40493FDF9E771BFF3BDCBC44 | Hash | SgnitLoader |
| 4DD3F638D4C370ABEB3EBF59CAD8ED2F | Hash | SgnitLoader |
| CE54B9287C3E4B5733035D0BE085D989 | Hash | ShortLoader |
| 9F1EAA0FF990913F7D4DFD31841DE47A | Hash | SmokeLoader |
| 639DE55E338BFCEA8DAAE727141AF3D1 | Hash | Vidar |
