Not the first time, I got an email recommending some accounting software from “Kindaichi”. I am not entirely sure if there is malware behind it. But let us have a closer look.
The email
The email I got promotes some accounting software from a company or with the name “Kindaichi”. So far nothing special, spam is common. The email looks like that.
KINDAICHI Accounting Software, Community 2020 edition provide basic accounting software features, and it is FREE.
I find it very odd, that an email proposes this kind of software, which should be mainly used by companies, not end users.
The email features a small PDF in the attachment, which seems to be clean of any malware. I checked it with virus total. But in general, I do not recommend opening any attachment from random mails. Also the download link does not point to any company website but rather to some cloud service. This is usually a red flag.
I opened the PDF in my virtual Linux machine. Looks very strange.
The company homepage
If you look the software up on Google, there is not much information to be found. The first result is now the german version of this blog post. The company website looks very simple, it is basically a Bootstrap template with the same download links as in the email. No SSL.
The download
OK, another thing I do not recommend, downloading the software from the internet. Again, I am doing that in my virtual machine, which I can reset afterwards. The download is located on a cloud service name “pCloud”.
The ZIP file contains a lot of software, PDFs and an installer. Not very typical for malware, which is very odd.
However, if we check the file with VirusTotal.com, there are 7 virus scanners, which flag the file as malicious. If we look at the ZIP file above, we can see two files named “UltraViewer”, which seem to be some kind of remote control software. Might be legit, might be the case why VirusTotal.com finds some malware, but honestly, that’s very concerning.
Installation
The next step is to try and install the software. I also did that in a virtual machine with Windows and no access to my local network.
The ZIP file contains an installer.
If the installer is run, a menu appears, which looks very unsuspicious. The menu allows us to install the software. Sometimes the installer asks for a password, which can be found in the installation guide PDF.
The software installs normally.
After the installation, the software can be started and offers to create a profile for your company. However, after starting the software asks for some license key, which I do not have, so I can not use the software.
Conclusion
I am not sure the software is malware or not. VirusTotal warns with several warnings, which is usually a red flag. There is no real information about the software on the internet and the company homepage just looks like someone used a template and put some information in there, not like a real homepage.
My advise is, to not open anything from the email and do not run the software. But I might be wrong. If you have more information, let me know. 🙂
