{"id":12229,"date":"2018-05-08T09:10:02","date_gmt":"2018-05-08T17:10:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/05\/08\/news-5998\/"},"modified":"2018-05-08T09:10:02","modified_gmt":"2018-05-08T17:10:02","slug":"news-5998","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/05\/08\/news-5998\/","title":{"rendered":"Kuik: a simple yet annoying piece of adware"},"content":{"rendered":"

Credit to Author: Malwarebytes Labs| Date: Tue, 08 May 2018 16:00:27 +0000<\/strong><\/p>\n

Some pieces of malware can be so simple\u2014and yet such a pain<\/em> to get rid of\u2014especially when they start interfering with your system’s configuration. This much is true for the Kuik adware program, which surprised us all by forcing affected machines to join a domain controller.<\/p>\n

The perpetrators are using this unusual technique to push Google Chrome extensions and coin miner applications to their victims. In this blog, we’ll provide technical analysis of this adware and custom removal instructions.<\/p>\n

Technical description<\/h3>\n

Stage 1 – .NET installer<\/strong><\/p>\n

0ba20fee958b88c48f3371ec8d8a8e5d<\/a><\/p>\n

The first stage is written in .NET with an icon imitating the Adobe Flash Player. This is typical of bundlers that promise to update software components but also add their own code to the original installer.<\/p>\n

\"\"<\/p>\n

After opening with a dotNet decompiler (i.e. dnSpy), we found that the project’s original name was\u00a0WWVaper<\/em>.<\/p>\n

\"\"<\/p>\n

It has three resources inside:<\/p>\n