Dell Sonicwall Threat Research team has been observing CK Exploit Kit being used in the wild, which was first seen in 2012 and continued its presence till 2013 and went quiet.
CK kit uses multiple levels of redirection before serving the landing page. Its redirection chain is shown below:
Landing page has two levels of obfuscation. On de-obfuscation it looks as shown below
Fig-3 : First level of de obfuscation
Fig-4 : second level of de obfuscation
In this update, the kit is checking for the below mentioned browsers, their versions and plugins installed. Based on the victim's browser and plugin version exploit is being served.
On successful exploitation, malware belonging to PWS-Banker is being served currently.
Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:
- GAV: CKhtm.EKA (Exploit)
- GAV: CKflash.EKA (Exploit
- GAV: PWS-Banker (Trojan)