There were times, not too long ago, when exploit kits were widely deployed by hackers in various types of malicious campaigns. However, with the improvement of browsers and some other security-focused factors, the use of EKs began to decline, and something else crawled in their place. In fact, TDS or traffic distribution systems have been a crucial component of exploit kits.
Well-known EKs like Angler and Nuclear typically had a TDS included within, also known as gate or fingerprinting system. These were used to filter traffic for a user to land on a particular page to infect them with malware.
Let’s take the Nuclear EK, which was one of the favored malware-as-a-service tools in the hands of cybercriminals and ransomware authors. Nuclear EK was used to spread Locky ransomware – one of the most prevalent and devastating crypto viruses in the past few years. However, Nuclear activities saw a sensible decrease at the end of April, and according to multiple resources, the exploit kit’s infrastructure was completely frozen in 2016.
With that being said, security researchers at Proofpoint have been following a new traffic distribution system dubbed BlackTDS which is deployed in the distribution of various pieces of malware.
What Is BlackTDS? Technical Description
Shortly said, BlackTDS is a multi-functional TDS tool that has been advertising its services on underground markets since the end of December 2017, as pointed out by the research team.
This traffic distribution system provides plenty of services to interested parties. These services are referred to as Cloud TDS. According to the operators, the Cloud TDS package can handle social engineering and redirection to EKs while evading detection by researchers and sandboxes. In addition, BlackTDS also has access to fresh domains with clean reputations over HTTPS, the researchers reported.
The exact services BlackTDS has to offer are presented in forum advertisements shared below:
Cloacking antibot tds based on our non-abuse servers from $3 per day of work. You do not need your own server to receive traffic. API for working with exploit packs and own solutions for processing traffic for obtaining installations (FakeLandings). Dark web traffic ready-made solutions. Placed in 1 click hidden code to use the injection in js on any landings, including on hacked websites.”
“Cost – $6 per day, $45 per 10 days, $90 per month, FREE place on our server, FREE hosting of your file on green https:// domain. 3 DAYS FREE TEST”
* Cloud Antibot Traffic Management System on our non-abuse servers
* API for working with bundles of equities and custom solutions for processing traffic for obtaining installations (Faklendings). Placing your file on a green https: // domain
* Placed in 1 click hidden code to use the injection in js on any landings including on the shells
What we added during the holidays:
* Built-in modes Iframe (a little morally outdated, but asked – we did).
* fake Mirosoft update (breaks the page).
* Fake update Jav and Fake update Flash (the page does not break, the original content is visible).
* uploading a file from your personal account to our server.
* Configure delay for the appearance of fake windows.
* Auto-download when clicking on the window area.
* Updating the Black and Geo databases from 13.01.18.
* increased by breaking through the downloads from 6%-12% to 10%-30%.
* added detailed statistics on users who downloaded the file.
* autostart file in fakes.
And this is only on holidays! We continue to work. Cloud TDS at your service.
Where Does the Traffic BlackTDS Uses Come from?
Apparently, the threat’s authors drive traffic to BlackTDS via well-known channels such as spam and malvertising. Then they “set up the malware or EK API of their choice, and then allow the service to handle all other aspects of malware distribution via drive-by”.
Security researchers have been observing BlackTDS infection chains in the wild, delivering malware through social engineering tricks and fake software updates. What is worth mentioning is that even though the identification of BlackTDS sites was not that hard for the researchers, associating the traffic with known threat actors was quite challenging or even difficult.
On February 19th, 2018, the security researchers noticed a particular spam campaign, massively deployed, that had PDF attachments with links to a chain involving BlackTDS. The operation ended on a website selling discount pharmaceuticals. This threat actor, identified as TA5O5 was spreading ransomware and banking Trojans on a very massive scale.
Lastly, many researchers are now referring to “bundled” malicious services as “as a service”, and the same rule applies to traffic distribution networks. In the case of TDS, services such as hosting and configuration of the components of a sophisticated drive-by operation are included.
As for BlackTDS in particular, “the low cost, ease of access, and relatively anonymity of BlackTDS reduce the barriers to entry to web-based malware distribution”. On top of it all, the network comes with full support for social engineering and the options to deliver malware directly or redirect victims to exploit kit landing pages. As a whole, this traffic distribution network reveals a certain level of advancement, despite the decline of exploit kits.
Web-based attacks are not going anywhere, and BlackTDS is the proof.