A new traffic distribution system for malware is being offered as a service on the Dark Web and is promoting itself as an affordable way to deploy exploit kits and malware. The traffic distribution system (TDS) is being called BlackTDS by the Proofpoint researchers that found it.
Traffic distribution systems act as brokers that both buy and sell traffic from one site to another. They add value by filtering traffic based on a user’s browser, IP address, geography and user agent data. When a user clicks on a link that is part of a TDS chain they are silently redirected to a malicious web page based on their profile. TDS systems are notorious for aiding criminals in distributing web-based malware via exploit kits and fake downloads.
What Proofpoint found was a TDS-as-a-service offering going by the name Cloud TDS on the Dark Web. The service isn’t quite as full featured as other TDS offerings. It requires threat actors to drive their own traffic to BlackTDS. From there, however BlackTDS promised to use a victim’s profile data to optimize what exploit kits or malware they would expose the user to.
“The operators claim that their Cloud TDS can handle social engineering and redirection to exploit kits (EKs) while preventing detection by bots — namely researchers and sandboxes. Cloud TDS also includes access to fresh domains with clean reputations over HTTPS if required,” according to a Proofpoint report published Wednesday. Proofpoint said the tool has been advertised on underground markets since the end of Dec. 2017.
Proofpoint said BlackTDS appears to be highly scalable, and easily deployable, reducing the barriers for hackers. Cloud TDS services are also relatively inexpensive, starting at $6 per day, $45 per 10 days, or $90 per month. Below is text from an ad:
Cloacking antibot tds based on our non-abuse servers from $3 per day of work. You do not need your own server to receive traffic. API for working with exploit packs and own solutions for processing traffic for obtaining installations (FakeLandings). Dark web traffic ready-made solutions. Placed in 1 click hidden code to use the injection in js on any landings, including on hacked websites.
“Like so many legitimate services, we are increasingly observing malicious services offered ‘as a Service.’ In this case services include hosting and configuration of the components of a sophisticated drive-by. The low cost, ease of access, and relatively anonymity of BlackTDS reduce the barriers to entry to web-based malware distribution. With full support for social engineering and the flexibility to either distribute malware directly or simply redirect victims to exploit kit landing pages, BlackTDS demonstrates the continued maturation of crimeware as a service,” Proofpoint wrote.
The service allows actors to pick the malware or exploit kit APIs of their choice. The service then handles all other aspects of malware distribution.
“The actual redirection, filtering, and hosting of social engineering templates with connections to hosted malware or exploit kits, as well as the user-facing mechanisms behind drive-by attacks all get handled by this single cloud-based service. All the actor needs to provide is the traffic and payload or EK access,” Kevin Epstein, VP of Threat Operations at Proofpoint, told Threatpost.
That was the case with threat actor TA505, which used the BlackTDS services to launch a massive pharmaceutical spam campaign on Feb. 19.
According to Proofpoint, TA505 spammed users with PDF attachments containing links to a chain involving BlackTDS. The redirect chain ended on a website purporting to sell discount pharmaceuticals.
“(BlackTDS) demonstrates that, despite their steady decline, EKs and web-based attacks are not a thing of the past,” according to Proofpoint. “On the contrary, web-based attack chains are increasingly incorporating social engineering, taking advantage of both existing underlying infrastructure and human fallibility rather than short-lived exploits.”