[2025.08 Vulnerability Report] Gong Da & CKVIP Exploit Kit: toGMTString() Abuse Analysis | SECaaS Platform AIONCLOUD

Threat Intelligence Report

Get up-to-date information on web application vulnerabilities, attacks, and how to respond.

Back to Threat Intelligence Report

[2025.08 Vulnerability Report] Gong Da & CKVIP Exploit Kit: toGMTString() Abuse Analysis

Gong Da and CKVIP Exploit Kits were web-based attack tools active in East Asia between 2015 and 2018, exploiting browser vulnerabilities and cookie manipulation based on toGMTString() to enable reinfection
and data theft when users revisited compromised websites.
Malicious landing pages contained the code snippet expires=" + expires.toGMTString(), which was designed to evade detection by mimicking legitimate code,
but later became a well-known indicator of compromise (IoC) identified by various security solutions.

1. Overview

The Gong Da and CKVIP Exploit Kits were web-based attack tools active in East Asia between 2015 and 2018.
By exploiting browser vulnerabilities and cookie manipulation logic based on toGMTString(), they enabled automatic malware reinfection and information theft upon user revisits.

The code snippet expires=" + expires.toGMTString() inserted into malicious landing pages disguised itself as legitimate code to evade detection, yet it became widely recognized as a representative IoC pattern by many security solutions.

image.png

2. Attack Type

Gong Da and CKVIP Exploit Kits represent typical web-based attack tools that operated mainly in East Asia from 2015 to 2018.
Both exploit kits abused browser vulnerabilities and toGMTString()-based cookie manipulation logic to ensure persistent threats, automatically reinfecting users’ systems upon revisits and stealing information.

In particular, the malicious landing pages of these exploit kits commonly contained the snippet expires=" + expires.toGMTString().
This became a well-known IoC pattern identified by many security solutions.
The function was typically inserted into malicious scripts after attackers compromised a server and was designed to evade detection by masquerading as legitimate code.

image.png

It should be noted that the toGMTString() function has already been deprecated in the ECMAScript standard, with toUTCString() recommended in modern environments.

image.png

An analysis of the source code of various websites, including those of government agencies, confirmed that this function was being used within the setCookie JavaScript function.
This created situations where security rules could not be applied to block such attacks, thereby leaving systems exposed to risks.

image.png

image.png

The detection rule is included in the officially certified Snort VRT Exploit Kit ruleset and is distributed as enabled by default.
The rule message “EXPLOITKIT Gong Da exploit kit landing page” was developed by Cisco Talos Intelligence Group to detect the Gong Da Exploit Kit landing page and is documented in the Snort official documentation (SID: 31988).
According to the Snort document (SID: 31988), this rule was designed to detect Gong Da Exploit Kit IoCs and to address high-risk attack types that are difficult to detect through static analysis alone.

image.png

Example Attack Scenario:

  • Server Compromise: Attackers infiltrate web servers using XSS, malicious landing pages, malvertising, or supply chain attacks.
  • Malicious Script Injection: Malicious JavaScript is inserted or existing scripts are modified on compromised servers to execute malware in the victim’s browser.
  • Cookie Manipulation: The injected script sets cookie expiration values using expires.toGMTString(), influencing browser behavior or session states.
  • Evasion of Detection: To avoid detection, the malicious payload is delivered only to first-time visitors, while returning visitors are shown normal content.
  • Exploit Code Execution: Exploit code is executed in the browser of first-time visitors, resulting in system or session data theft.
  • Security Threats: This can lead to cookie theft, session hijacking, authentication bypass, and privilege escalation.

Real-World Example: Win32/Aibatook Banking Trojan

In 2014, the Win32/Aibatook banking Trojan spread in Japan was found to use malicious JavaScript-based cookie manipulation techniques.
The attacker created a cookie named “GOOGLE1” with a 24-hour expiration time, implementing logic to prevent redirection or reinfection upon revisits. In this process, the toGMTString() function was used to set the cookie expiration date, allowing the attacker to branch infection logic based on time and control repeated infections.

The exploit page was then loaded through an injected iframe, ultimately delivering and executing the malicious payload on the victim’s browser.
This case is a representative example of how toGMTString() was abused as a tool for cookie-based detection evasion and infection control,
demonstrating sophisticated infection strategies based on time conditions.

image.png

3. Mitigation

The use of the toGMTString() function to set cookie expiration dates in web applications should be avoided.
This function is deprecated, may cause browser compatibility issues, and can serve as a potential vector for detection evasion.

Therefore, it is strongly recommended to use toUTCString() or the Max-Age attribute instead.
This recommendation should be explicitly applied across all client-side cookie-setting code and included in development guidelines and code reviews.

As a basic security measure, legacy code using toGMTString() should also be refactored.

MONITORAPP attempted to create detection rules based on this issue and prepared updates.
However, since many customer websites legitimately used the same code, concerns arose that applying the rule could impact functions such as login.
Consequently, the rule was not officially released as an update.

4. Conclusion

Patterns detecting the use of toGMTString() can be effective in identifying malicious script injections within server response data.
However, since this function is also used in some legitimate services such as login, real-world application of detection rules faces constraints.

The function is designated as a detection target by both Talos and YARA rule groups, highlighting its importance as a potential security risk.
If exploited by attackers to insert tampered JavaScript, it can lead to significant client-side security threats.

Even if no immediate threat is identified, strengthening security requires avoiding the use of toGMTString() in web applications and transitioning to toUTCString() or the Max-Age attribute.
Detection patterns should also be applied progressively, ensuring they do not interfere with legitimate services. Currently, this detection pattern has not been applied.

5. References

Copyright 2025 AIONCLOUD's All Right Reserved| Privacy Policy| Terms of Use| Cookie Settings
Scroll Up