NullMixer Malware Detection: Hackers Spread a Dropper Using SEO to Deploy Multiple Trojans at Once

Cybersecurity researchers have recently revealed a new wave of adversary campaigns leveraging a malware tool named NullMixer spread via malicious websites. The malware dropper is a lure masquerading as legitimate software, which further deploys a set of Trojans infecting the victim’s system. NullMixer hackers apply advanced SEO tactics to distribute the malware affecting popular search engines like Google.

Detect NullMixer Malware Dropper

NullMixer dropper is currently on the rise, posing a serious threat to thousands of users worldwide since the malware is actively spread via the web using sophisticated SEO tactics. To enable cyber defenders to timely spot the infection, SOC Prime’s Detection as Code platform has recently released a new Sigma rule crafted by our keen Threat Bounty Program developer, Zaw Min Htun (ZETA). 

Possible Execution of ‘Downloader.INNO’ malware By Detection of Associated Files (via file_event)

This Sigma rule detects the Inno Setup Script, which belongs to one of the malicious binaries spread by the NullMixer malware. The rule is compatible with 22 SIEM, EDR, and XDR solutions matching the diverse environment needs of cybersecurity practitioners. 

The detection is aligned with the MITRE ATT&CK® framework, addressing the Execution tactic along with User Execution (T1204) as its primary technique.

Aspiring Threat Hunters and Detection Engineers are welcome to join the ranks of the SOC Prime Threat Bounty Program to help the global cyber defender community enrich collective expertise with their own detection content. 

Cybersecurity professionals constantly striving to keep abreast of malware-related threats can click the Explore Detections button below to instantly reach the broad collection of relevant Sigma rules. The curated context-enriched Sigma rules to detect diverse malware strains are accessible in a few clicks by browsing SOC Prime using the corresponding search query.

Explore Detections

NullMixer Analysis

According to the latest cybersecurity research, the malware dropper NullMixer is coming into the spotlight in the cyber threat arena. Adversaries spread the malware using pirated websites focused on crack, keygen, and diverse tools for illegal malware download. NullMixer campaigns target users on a global scale, including Brazil, Europe, and the U.S.

As soon as a potential victim attempts to download such software masquerading as legitimate, they are redirected to a malicious website page with download guidelines. However, instead of downloading the verified software they are looking for, they end up deploying the malicious ZIP file carrying NullMixer. This triggers an infection chain on the compromised machine. After executing the malicious archive and running it, NullMixer deploys a set of malware files spreading the infection further. 

Among the malicious strains dropped by NullMixer are multiple Trojans, such as backdoors and information stealers, which belong to popular malware families, including SmokeLoader, RedLine stealer, ColdStealer, and more. Cybersecurity researchers haven’t yet attributed NullMixer to any specific threat actor.

SOC Prime’s Detection as Code platform for collective cyber defense helps security teams to have a competitive advantage in the global cyber war. Gain On-Demand access to Sigma rules of your choice to defend against current and emerging cyber threats 95% faster than your industry peers.