Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/14/2018
04:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

New Hosted Service Lowers Barriers to Malware Distribution

BlackTDS is a traffic distribution service for directing users to malware and exploit kits based on specific parameters.

A newly discovered malware distribution operation that has been advertising its services on underground markets since late December 2017 is the latest example of the growing maturation of cybercrime as a service.

BlackTDS is a cloud-hosted traffic distribution system (TDS) for distributing malware. Security vendor Proofpoint, which has been tracking the service for the past several weeks, describes it as lowering the entry barrier for threat actors that want to engage in drive-by attacks.

The service isn't a completely turnkey one, since threat actors must still find a way to drive traffic to BlackTDS. "[But] it is otherwise a fairly complete solution, including social engineering for Web-based attacks that is fairly simple and inexpensive to configure and use," says Kevin Epstein, vice president of threat operations at Proofpoint.

A TDS is designed to take traffic from different sources; filter it based on parameters such as user agent, browser, and geography; and then redirect users to various websites, depending on their profile. Malicious distribution systems like BlackTDS use the parameters to redirect users of interest to specific malicious websites and payloads instead.

"For example, an actor might want to send Australian users who click on a malicious link in an email to a banking Trojan configured with injects for Australian banks but make sure that everyone else gets ransomware," Epstein explains.

The use of traffic distribution systems to distribute malware is not new. As far back as 2011, Symantec had reported on cybercriminals using a TDS to distribute exploit kits and malware to targets matching specific profiles. In 2016, Forcepoint reported on a threat actor using a malicious TDS dubbed BlackHat-TDS to redirect users to websites that hosted exploit kits.

As Forcepoint had noted at the time, threat actors running a TDS can set up blacklists of IP ranges to filter out traffic from security vendors and Web crawlers while ensuring traffic from ordinary users gets redirected to malware and exploits.

What makes BlackTDS different is that it is being delivered as a highly scalable, easy to deploy, and relatively inexpensive service. Threat actors can simply drive traffic to BlackTDS using spam, malicious advertisements, and other means; set up or provide access to their malware; and then let the service handle the rest of the distribution process.

"The actual redirection, filtering, and hosting of social engineering templates with connections to hosted malware or exploit kits, as well as the user-facing mechanisms behind drive-by attacks, all get handled by this single cloud-based service," Epstein says. "All the actor needs to provide is the traffic and payload or exploit kit access."

BlackTDS promises hosting that is difficult for researchers and sandboxes to identify and for anti-malware filters to automatically reject. BlackTDS is also relatively inexpensive, with some of its advertised services starting at $6 per day to $90 per month.

One indication of how effective BlackTDS has been so far is its use by TA505, a threat actor known for distributing ransomware and banking Trojans at massive scale. According to Proofpoint, TA505 recently used BlackTDS in a huge spam campaign designed to direct Internet users to a site selling discount pharmaceuticals.

TA505's use of BlackTDS shows the service is quite scalable and has attracted the attention of one of the most prolific malware distributors on the Web, Epstein says. "We can only speculate on the exact implications here, but we will continue to watch for the use of BlackTDS by TA505," he says.

For enterprises, services like BlackTDS once again reinforce the need for defenses at multiple layers such as the network layer, Web and email gateways, and endpoint devices, Epstein says. Attacks are becoming less dependent on active exploits than on user clicks, so education and training are critical as well, he says.

Related content:

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5034
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave Legacy Pairing functionality of Nest Cam IQ Indoor version 4620002. A set of specially crafted weave packets can cause an out of bounds read, resulting in information disclosure. An attacker can send packets to trigger this vuln...
CVE-2019-5035
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave PASE pairing functionality of the Nest Cam IQ Indoor, version 4620002. A set of specially crafted weave packets can brute force a pairing code, resulting in greater Weave access and potentially full device control. An attacker c...
CVE-2019-5036
PUBLISHED: 2019-08-20
An exploitable denial-of-service vulnerability exists in the Weave error reporting functionality of the Nest Cam IQ Indoor, version 4620002. A specially crafted weave packets can cause an arbitrary Weave Exchange Session to close, resulting in a denial of service. An attacker can send a specially cr...
CVE-2019-8103
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8104
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...