Original Issue Date:-
May 18, 2018
It has been reported that an adware named
Once this malwares drop on infected machine it enumerates all the network interfaces of the victim machine and add the DNS 126.96.36.199 to all the collected interfaces. It also add its own certificate on the victim machine. Then this malware starts doing fingerprinting of the victim system and send it to the server to join its domain controller [kuikdelivery.com].After joining the domain controller, malwares loads different payload for doing malicious activities like adding of bogus chrome extension, coin miner etc.
Indicators of Compromise:
Countermeasures and Best practices for prevention:
- Keep the operating system and third party App with the latest patches.
- Follow safe practices when browsing the web.
- Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths. Generally Malware sample drops and executes generally from these locations.
- Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through browser.
- Keep up-to-date Antivirus and Antispyware signatures. Keep checking the traffic flow from your system at above mentioned IP.
- Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
- Restrict execution of PowerShell /WSCRIPT in enterprise environment Ensure installation and use of
latest version (currently v5.0) of PowerShell, with enhanced logging enabled. Script block logging,
and transcription enabled. Send the associated logs to a centralized log repository for monitoring
- Enabled Windows Defender Application Guard with designated the trusted sites as whitelisted, so that rest all sites will be open in container to block the access to memory, local storage, other installed applications or any other resources of interest to the attacker.
- Use Microsoft Bit locker full-drive encryption feature to mitigate the unauthorized data access by enhancing file and system protection.
- Enabled Windows Defender Credential Guard, User Account Control feature to protecting from credential theft attacks, blocking of the automatic installation of unauthorized apps and run the apps ,tasks in non-administrative accounts unless administrator specifies.