Knock!! Knock!! … CK Exploit kit is back (Dec 31st, 2015)


Dell Sonicwall Threat Research team has been observing CK Exploit Kit being used in the wild, which was first seen in 2012 and continued its presence till 2013 and went quiet.

CK kit uses multiple levels of redirection before serving the landing page. Its redirection chain is shown below:

Fig-1 : Flow chart of Infection Chain

CK Exploit Landing page uses Oracle Deployment Toolkit's javascript to evaluate the Java version and SWFObject project's javascript to evaluate Flash plugin version and uses Dean Edwards' Javascript Packer to hide malicious javascript code.

Fig 2: Landing Page

Landing page has two levels of obfuscation. On de-obfuscation it looks as shown below

Fig-3 : First level of de obfuscation

Fig-4 : second level of de obfuscation

In this update, the kit is checking for the below mentioned browsers, their versions and plugins installed. Based on the victim's browser and plugin version exploit is being served.

Fig 5: script serving the exploit

On successful exploitation, malware belonging to PWS-Banker is being served currently.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: CKhtm.EKA (Exploit)
  • GAV: CKflash.EKA (Exploit
  • GAV: PWS-Banker (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.