NullMixer Campaign Delivers New Polymorphic Loaders

What’s happening?

• The attackers have targeted at least 87 countries, infecting around 297 new victims per day, with a specific emphasis on targets in North America, Latin America, Italy, and France.
• A majority of victims are Windows 10 Professional and Enterprise (including the Datacenter versions of Windows Server) user. In some cases, Windows Embedded machines were targeted, indicating a focus on IoT devices.

Attack tactics

• The attackers use SEO poisoning, along with social engineering tactics to lure their potential victims, consisting mostly of IT personnel and technocrats. 
• The campaign tricks system administrators into installing malicious software, including cracked versions of IT management software EaseUS Partition Master and Driver Easy Pro.
• Attackers use a series of YouTube videos to promote these tainted software versions. These are hosted on Mega[.]nz, and the URL is hidden using the URL shortener service Bitly.

The payloads

• The initial payloads delivered by NullMixer include a WinRAR executable archive with auto-executable binaries, including several off-the-shelf info-stealer and loader malware.
• PseudoManuscrypt loader (Crack.exe) - known to have links to Chinese threat actors, however, the Lazarus group have also used it.
• RacconStealer (Brg.exe) -  its C2 server is hosted on Russian infrastructure of VDSina.
• GCleaner spyware (Lower.exe) -  pretends to be the genuine CCleaner utility tool.
• Koi info-stealer (Sqlcmd.exe) - a malware loader using ECC cryptography to secure communication.
• Crashtech Loader (KiffAppE2.exe) - a .NET-based loader service used as a secondary loader in this campaign.
• Fabookie wallet stealer (Ss29.exe) - a dropper malware that leverages a Google Cloud endpoint to deliver malicious PAC files for further configurations.

Concluding notes