Win32/Kilim

Installation

Threats in this family usually pretend to be a legitimate installer or update for the Chrome web browser, Adobe Flash Player, or Google Update.

Most of the Kilim executable files we have seen are compiled in AutoIT or Visual Basic and then uploaded to compromised or malicious websites. They try to imitate legitimate files names and icons to trick you into running them.

We have seen variants using the following file names:

• Adobe Players 9.1.3.exe
• AdobeFlash.exe
• AdobeFlashPlayer.exe
• AdobeFlashPlayerUpdater_x32_x86_installer.exe
• AdobePlayer.exe
• FLash - Plugin.exe
• FPlayer 86x64.exe
• FPlayer.exe
• FPlayer_86_64.exe
• FPlayer_installer.exe
• Facebook-ikizin.exe
• Facebook_Player.exe
• Faceikizim.exe
• Faceikizin.exe
• Flash - Guncelle.exe
• Flash - Plugin.exe
• Flash Guncelle.exe
• Flash Player Update.exe
• Flash Player.exe
• Flash-Plugin.exe
• FlashGuncelleyin.exe
• FlashMedia.exe
• FlashPlayer.exe
• FlashPlayerGuncel.exe
• FlashPlayer_Adobe.exe
• FlashPlayer_Güncelle.exe
• FlashPlugin.exe
• FlashPluginn.exe
• Flashplayer.18x11.install_flash.exe
• Flashplayer.x64_mcsa_aaa_aih.exe
• Google Update.exe
• Google_Shockwave.1.286.2589.exe
• HDPlayer.exe
• Player.exe
• Plugin - Guncelle.exe
• PluginFlash.exe
• Smart HD Player Installer.exe
• Smart Player Install.exe
• Smart Player Installer.exe
• Update.exe
• VideoPlayer.exe
• VideoPlayer_installer.exe
• adobeflashplayerguncelleme.exe
• faceikizin.exe
• faceikiziniz.exe
• flash.exe
• flash_installer.exe
• flash_player.exe
• flash_player_download3.exe
• flashplayer.exe
• flashplayer_setup_50.exe
• install_browser.exe
• install_flash.exe
• install_flash_player.exe
• install_flashplayer.exe
• install_flashplayer11x32_aih.exe
• install_flashplayer13x32_97msa_aaa_aih.exe

We have also seen threats using the following icons, some of which are identical to the ones for the products it imitates:

When run, the Kilim executable (detected as Trojan:Win32/Kilim) will drop a copy of itself. We have seen it use the following locations and file names:

• %APPDATA%\patrick_schwazy.exe
• %APPDATA%\smart player installer.exe
• c:\crx\windows.exe
• %LOCALAPPDATA%\<Random>\<Malware Filename>
• %TEMP%\crx\down.exe
• %TEMP%\crx\updafe.exe
• %TEMP%\templem\update.exe
• %TEMP%\Crx\troj.exe
• %USERPROFILE%\<random>\flash.exe
• %USERPROFILE%\<random>\flash_installer.exe
• %USERPROFILE%\<random>\player_installer.exe
• %windir%\flashtopia\flashmedia.exe
• %windir%\exflash\flashplayer.exe

It changes the following registry entries so that it runs each time you start your PC:

• In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run

We have seen it use the following values and data:

Sets value: ".NET"
With data: "%APPDATA%\smart player installer.exe"

Sets value: "Adobe Flashplayer Updater"  
With data: "%LOCALAPPDATA%\adobeflashplayerguncel.exe"

Sets value: "FlashMedia"
With data: "%windir%\flashtopia\flashmedia.exe"

Sets value: "FlashPlayer"
With data: "c:\crx\down.exe"

Sets value: "FlashPlayer"
With data: "%TEMP%\crx\updafe.exe"

Sets value: "FlashUpdate"
With data: "%windir%\exflash\flashplayer.exe"

Sets value: "HKC Update Manager"
With data: "%APPDATA%\patrick_schwazy.exe"

Sets value: "Java Sun Systems"
With data: "c:\documents and settings\administrator\local settings\temp\javaguncelleme.exe"

Sets value: "Microsoft Adope Read"
With data: "%TEMP%\templem\update.exe"

Sets value: "Windows Update"
With data: "c:\crx\windows.exe"

Sets value: "netupdateAdb"
With data: "%APPDATA%\smart player installer.exe"

Sets value: "<Random>"
With data: "%LOCALAPPDATA%\<Random>\<Malware Filename>"

Some threats can also create the following registry entries:

• Disable the change password button
  
  In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
  Sets value: "DisableChangePassword"
  With data: "1"
  
• Disable the firewall
  
  In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
  Sets value: "EnableFirewall"
  With data: "0"
  
  In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
  Sets value: "EnableFirewall"
  With data: "0"
  
• change UAC
  
  In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  Sets value: "EnableLUA"
  With data: "0"
  
• Force Chrome to install extension
  
  In subkey: HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist
  Sets value: "<Malware XML Path>"
  With data: "1"

Payload

Downloads and installs other malware

Threats in this family can contact a remote server to download and install a malicious Chrome extension. The malicious extension is detected as Trojan:JS/Kilim.

We have seen threats contact the following servers:

• akillitelefonburada.com
• atrhaber.com
• bodrumbayi.com
• facebookbayisistemi.tk
• facetmp.com
• gameus.net
• hdiziler.net
• kartaldesign.com
• l2timeless.com
• ikef.biz
• likeshitbox.com
• medyapaketi.com
• molotofcu.com
• mrtbayi.com
• only-expense.net
• s4media.ru
• sayaci.in
• socialmediaservices.co
• socialmediasystem.net
• sosyalmedyasatis.com
• sosyalmsn.com
• takipcikusum.com
• twitterhizmetlerim.net
• wgetpop.com

The downloaded file can have .CRX, .TXT or .JS file extension.

Kilim might try to stop any running Chrome processes before it installs the malicious browser extension.

Once the browser extensions are installed, Kilim can access your social networking sites, like:

• Ask.fm
• Facebook.com
• Twitter.com
• YouTube.com
• Vk.com

It can use your account to post messages, like pages or follow profiles.

Additional information

• Rise of the social bots

Analysis by Ric Robielos