BlackTDS Emerges as an As-a-Service Drive-By Kit for Malware Distribution

Written by

A new traffic distribution system called BlackTDS has reared its head in the criminal underground, marketing itself as an as-a-service tool for malware distribution.

The privately held BlackTDS was spotted by Proofpoint researchers in late December 2017. It offers a variety of services to its “clients” that it collectively refers to as a Cloud TDS; these include hosting and configuring the components of sophisticated drive-by attacks, like social engineering and redirection to exploit kits (EKs), while preventing detection by researchers and sandboxes. Cloud TDS also includes access to fresh domains with clean reputations over HTTPS.

“Threat actors drive traffic to BlackTDS via spam, malvertising, and other means, set up the malware or EK API of their choice, and then allow the service to handle all other aspects of malware distribution via drive-by,” researchers said in a posting. “We observed BlackTDS infection chains several times in the wild, distributing malware via fake software updates and other social engineering schemes.”

There’s evidence that BlackTDS is allowing known threat actors to branch into new realms. For instance, a large spam campaign was observed on 19 February from the actor TA505, using PDF attachments containing links to a chain involving BlackTDS. The chain ended with a fraud website purporting to sell discount pharmaceuticals.

“TA505 has typically distributed ransomware and banking Trojans at enormous scale, making this particular campaign unusual,” researchers noted.

Proofpoint also posted the Dark Web advertisements for the service (the text has not been edited):

“Cloacking antibot tds based on our non-abuse servers from $3 per day of work. You do not need your own server to receive traffic. API for working with exploit packs and own solutions for processing traffic for obtaining installations (FakeLandings). Dark web traffic ready-made solutions. Placed in 1 click hidden code to use the injection in js on any landings, including on hacked websites.”

“Cost - $6 per day, $45 per 10 days, $90 per month, FREE place on our server, FREE hosting of your file on green https:// domain. 3 DAYS FREE TEST”

Researchers noted that the low cost, ease of access and relative anonymity of BlackTDS reduce the barriers to entry to web-based malware distribution.

“With full support for social engineering and the flexibility to either distribute malware directly or simply redirect victims to exploit kit landing pages, BlackTDS demonstrates the continued maturation of crimeware-as-a-service,” they said. “Moreover, it demonstrates that, despite their steady decline, EKs and web-based attacks are not a thing of the past. On the contrary, web-based attack chains are increasingly incorporating social engineering, taking advantage of both existing underlying infrastructure and human fallibility rather than short-lived exploits.”

What’s hot on Infosecurity Magazine?