Knock!! Knock!! ... CK Exploit kit is back

December 31, 2015

Dell Sonicwall Threat Research team has been observing CK Exploit Kit being used in the wild, which was first seen in 2012 and continued its presence till 2013 and went quiet.

CK kit uses multiple levels of redirection before serving the landing page. Its redirection chain is shown below:

Fig-1 : Flow chart of Infection Chain

CK Exploit Landing page uses Oracle Deployment Toolkit's javascript to evaluate the Java version and SWFObject project's javascript to evaluate Flash plugin version and uses Dean Edwards' Javascript Packer to hide malicious javascript code.

Fig 2: Landing Page

Landing page has two levels of obfuscation. On de-obfuscation it looks as shown below

Fig-3 : First level of de obfuscation

Fig-4 : second level of de obfuscation

In this update, the kit is checking for the below mentioned browsers, their versions and plugins installed. Based on the victim's browser and plugin version exploit is being served.

Fig 5: script serving the exploit

On successful exploitation, malware belonging to PWS-Banker is being served currently.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: CKhtm.EKA (Exploit)
  • GAV: CKflash.EKA (Exploit
  • GAV: PWS-Banker (Trojan)