Kuik Adware

Original Issue Date:- May 18, 2018
Virus Type:- Adware
Severity:- Medium

It has been reported that an adware named "Kuik" disguised as legitimate adobe flash player update is spreading. This malware is composed of three module- legitimate flash player (decoy), certificate and exe file name as upp.exe. This upp.exe is an installer bundler which contains other modules, scripts of this malwares as shown in figure 1.

Once this malwares drop on infected machine it enumerates all the network interfaces of the victim machine and add the DNS 18.219.162.248 to all the collected interfaces. It also add its own certificate on the victim machine. Then this malware starts doing fingerprinting of the victim system and send it to the server to join its domain controller [kuikdelivery.com].After joining the domain controller, malwares loads different payload for doing malicious activities like adding of bogus chrome extension, coin miner etc.


Indicators of Compromise:

Domain
eventz.win:13463

18.219.162.248

Chrome extensions:

  • d-and-h[.]com/fljlngkbcebmlpdlojnndahifaocnipb.crx
  • d-and-h[.]com/123.crx
  • d-and-h[.]com/jpfhjoeaokamkacafjdjbjllgkfkakca.crx
  • d-and-h[.]com/mmemdlochnielijcfpmgiffgkpehgimj.crx
  • kuikdelivery[.]com/emhifpfmcmoghejbfcbnknjjpifkmddc.crx
  • tripan[.]me/kdobijehckphahlmkohehaciojbpmdbp.crx

kuik hashes:

  • b9323268bf81778329b8316dec8f093fe71104f16921a1c9358f7ba69dd52686
  • 990c019319fc18dca473ac432cdf4c36944b0bce1a447e85ace819300903a79e

Payload Payloads:

  • 92996D9E7275006AB6E59CF4676ACBB2B4C0E0DF59011347CE207B219CB2B751
  • 33D86ABF26EFCDBD673DA5448C958863F384F4E3E678057D6FAB735968501268
  • 7889CB16DB3922BEEFB7310B832AE0EF60736843F4AD9FB2BFE9D8B05E48BECD
  • 761D62A22AE73307C679B096030BF0EEC93555E13DC820931519183CAA9F1B2A
  • 871AD057247C023F68768724EBF23D00EF842F0B510A3ACE544A8948AE775712

Countermeasures and Best practices for prevention:

  • Keep the operating system and third party App with the latest patches.
  • Follow safe practices when browsing the web.
  • Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths. Generally Malware sample drops and executes generally from these locations.
  • Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through browser.
  • Keep up-to-date Antivirus and Antispyware signatures. Keep checking the traffic flow from your system at above mentioned IP.
  • Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
  • Restrict execution of PowerShell /WSCRIPT in enterprise environment Ensure installation and use of latest version (currently v5.0) of PowerShell, with enhanced logging enabled. Script block logging, and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
    Reference:https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
  • Enabled Windows Defender Application Guard with designated the trusted sites as whitelisted, so that rest all sites will be open in container to block the access to memory, local storage, other installed applications or any other resources of interest to the attacker.
  • Use Microsoft Bit locker full-drive encryption feature to mitigate the unauthorized data access by enhancing file and system protection.
  • Enabled Windows Defender Credential Guard, User Account Control feature to protecting from credential theft attacks, blocking of the automatic installation of unauthorized apps and run the apps ,tasks in non-administrative accounts unless administrator specifies.

References: