Security News

Knock!! Knock!! … CK Exploit kit is back (Dec 31st, 2015)

By

Dell Sonicwall Threat Research team has been observing CK Exploit Kit being used in the wild, which was first seen in 2012 and continued its presence till 2013 and went quiet.

CK kit uses multiple levels of redirection before serving the landing page. Its redirection chain is shown below:

Fig-1 : Flow chart of Infection Chain

CK Exploit Landing page uses Oracle Deployment Toolkit's javascript to evaluate the Java version and SWFObject project's javascript to evaluate Flash plugin version and uses Dean Edwards' Javascript Packer to hide malicious javascript code.

Fig 2: Landing Page

Landing page has two levels of obfuscation. On de-obfuscation it looks as shown below


Fig-3 : First level of de obfuscation

Fig-4 : second level of de obfuscation


In this update, the kit is checking for the below mentioned browsers, their versions and plugins installed. Based on the victim's browser and plugin version exploit is being served.

Fig 5: script serving the exploit

On successful exploitation, malware belonging to PWS-Banker is being served currently.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: CKhtm.EKA (Exploit)
  • GAV: CKflash.EKA (Exploit
  • GAV: PWS-Banker (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Microsoft Security Bulletin Coverage (Sep 11, 2012)
Resurrection ransomware plays audio from a horror movie
Oracle WebLogic insecure deserialization vulnerability actively being exploited in the wild
Dell SonicWALL and Financial Sector CIG
Wells Fargo Account Update Downloader Trojan (Mar 21, 2012)
New variant of the shellcode malware GuLoader spotted in the wild
A phishing campaign uses morse code to hide malicious URL
Trojan uses EternalBlue to install cryptominer