Kuik Malvertising Trojan

First observed in August 2018, Kraken Cryptor is a ransomware tool that is delivered to users disguised as a legitimate anti-virus application.

Threat ID:: CC-2389
Category:: Trojan, Adware
Threat Severity:: Low
Threat Vector:: Download
Published:: 18 May 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

First observed in August 2018, Kraken Cryptor is a ransomware tool that is delivered to users disguised as a legitimate anti-virus application.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows – All versions
Google Chrome - All versions

Threat details

It is distributed via fake Adobe Flash Player updates containing a .NET installer. When opened, this module is executed and downloads Kuik.

Once installed Kuik will add a new IP address as a domain name server in order to redirect users to malicious sites. It will also install a set of Google Chrome Extensions with multiple functions including cryptocurrency mining and credential theft.

Remediation steps

Type	Step
	Organisations should consider disabling user downloads of Chrome extensions or implement whitelists of trusted extensions. Additionally, to prevent and detect a trojan infection ensure that: A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, anti-virus and other security products are kept up-to-date. All day-to-day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place and password reuse is discouraged. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from affected devices should be reset on a clean computer. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security. d-and-h[.]com/fljlngkbcebmlpdlojnndahifaocnipb.crx\nd-and-h[.]com/123.crx\nd-and-h[.]com/jpfhjoeaokamkacafjdjbjllgkfkakca.crx\nd-and-h[.]com/mmemdlochnielijcfpmgiffgkpehgimj.crx\nkuikdelivery[.]com/emhifpfmcmoghejbfcbnknjjpifkmddc.crx\ntripan[.]me/kdobijehckphahlmkohehaciojbpmdbp.crx

Type

Step

Organisations should consider disabling user downloads of Chrome extensions or implement whitelists of trusted extensions.

Additionally, to prevent and detect a trojan infection ensure that:

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, anti-virus and other security products are kept up-to-date.
All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place and password reuse is discouraged.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from affected devices should be reset on a clean computer.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

d-and-h[.]com/fljlngkbcebmlpdlojnndahifaocnipb.crx\nd-and-h[.]com/123.crx\nd-and-h[.]com/jpfhjoeaokamkacafjdjbjllgkfkakca.crx\nd-and-h[.]com/mmemdlochnielijcfpmgiffgkpehgimj.crx\nkuikdelivery[.]com/emhifpfmcmoghejbfcbnknjjpifkmddc.crx\ntripan[.]me/kdobijehckphahlmkohehaciojbpmdbp.crx

Last edited: 17 February 2020 12:47 pm