NullMixer

Nullmixer is a new malware dropper that gives us another reason to avoid questionable Windows downloads. Your computer can become infected with malware after downloading and running the dropper, which is disguised as illegal, cracked software or some other app that might prompt you to ignore warnings from your antivirus software.

NullMixer spreads via malicious websites. These websites are often related to crack, keygen and activators for downloading software illegally, and while they may pretend to be legitimate software, they instead contain a malware dropper.

The infection vector of NullMixer is based on a ‘User Execution’ (MITRE Technique: T1204) malicious link that requires the end user to click on and download a password-protected ZIP/RAR archive. Following the file's extraction and execution, NullMixer's infection chain is jumpstarted.

The thing that makes NullMixer different from other droppers is the variety of malware that is contained within. According to the computer security and antivirus company Kaspersky, several families of malware are installed, amounting to dozens of apps that get busy stealing credentials and data, hacking into crypto wallets, and showing black-hat advertising. Every type of malware will begin running on an infected PC, crippling performance and plaguing its owner.

SmokeLoader

SmokeLoader (aka Smoke) has been around since 2011 and is distributed via phishing emails and drive-by downloads. It has evolved its capabilities with additional modules over the years. For example, disabling of Windows Defender and anti-analysis techniques have been added. However, most threat actors only use the main functionality which is payload downloading and executing.

RedLine Stealer

RedLine Stealer has been known since early 2020 and developed through 2021. The malware is known to be sold on online forums and distributed via phishing emails. A newer method of spreading RedLine Stealer is by luring Windows 10 users to get fake Windows 11 upgrades. When the user downloads and executes the binary, they’re actually running the malware. RedLine’s main purpose is to steal credentials and information from browsers, in addition to stealing credit card details and cryptocurrency wallets from the compromised machine. Moreover, the malware also collects information about the system, such as: username, hardware details and installed security applications.

PseudoManuscrypt

PseudoManuscrypt has been known since June 2021, and used as MaaS (Malware as a Service). It doesn’t target particular companies or industries, but it has been observed that industrial and government organizations are the most significant victims. The malware is known to be distributed via other botnets such as Glupteba. The main aim of the PseudoManuscrypt threat actors is to spy on their victims by stealing cookies from Firefox, Google Chrome, Microsoft Edge, Opera, and Yandex Browser, keylogging and stealing cryptocurrency by utilizing the ClipBanker plugin. A distinctive feature of the malware is the use of the KCP protocol to download additional plugins.

ColdStealer

ColdStealer is a relatively new malicious program that was discovered in 2022. Like many other stealers its main purpose is to steal credentials and information from web browsers, in addition to stealing cryptocurrency wallets, FTP credentials, various files and information about the system such as OS version, system language, processor type and clipboard data. The only known method of delivering stolen information to cybercriminals is by sending a ZIP archive to an embedded control center.