Date/Time of Report – 20180319 1415
APT/Vector Name – BlackTDS
AKA Names – N/A
Purpose/Target – Cybercriminals consistently utilize Traffic Distribution Systems to determine traffic type, which will aid them in directing users to certain malicious sites and in determining what malicious payloads to execute on particular systems. [1]
Method – Spam, malvertising, distributing malware via fake software updates and other social engineering schemes.
- User visits a legitimate website
- Website displays and ad from an ad network
- User clicks ad and is redirected to the TDS
- TDS redirects user to final destination URL. In most cases ad will link to legitimate website for ad. In this case URL is infected with malware.
- Computer gets compromised by malware. [2]
Source –
APT/Vector Intelligence Summary – BlackTDS is a Traffic Distribution System tool that has been advertising its services on black markets since the end of December 2017.
Some malware may also be the end result of a particular TDS’s series of redirections, making it a malware infection vector. TDSs present several challenges with regard to malware sample sourcing and malicious URL detection, as these are capable of detecting the use of security tools and often initiate avoidance tactics. TDSs serve a wide range of functions such as selling pharmaceutical products, exploiting system vulnerabilities using malicious codes. Targeted attacks refer to those that prey on certain users, use various social engineering techniques, and utilize specially crafted malware. TDSs have made it possible for cybercriminals to choose either specific targets or wide-ranging groups, depending on their geographic locations, software preferences, and language settings; to deploy and distribute malware; and to steal critical information. The possibility of blocking redirection to prevent users from landing on bad sites is thus becoming a valid concern.
The use of malicious TDSs to redirect traffic to compromised sites is becoming more common. Preventing product or service consumers from becoming victims will present the security industry with various technological and financial challenges, as the malicious use of various TDSs will require better sourcing techniques, more advanced detection and blocking tactics, as well as greater manpower to ensure efficiency and effectiveness.
Analyst Notes – It is crucial to maintain high level of awareness when clicking banners or links when the user does not recognize the destination of those sources.
Remediation/Avoidance Recommendation – Anti-spam software and malware detection. Maintain cyber awareness. Do not click on ads on work stations.
- Goncharov, M. (2011). TRAFFIC DIRECTION SYSTEMS AS MALWARE DISTRIBUTION TOOLS. TendMicro. Retrieved March 19, 2018, from http://www.trendmicro.es/media/misc/malware-distribution-tools-research-paper-en.pdf
- https://www.symantec.com/connect/blogs/web-based-malware-distribution-channels-look-traffic-redistribution-systems
Please contact us for more information!
