Since December 2017, dark web markets have been displaying advertisements for a new "Traffic Distribution System" called BlackTDS that performs malicious drive-by attacks as a service to paying cyber-criminals, according to a new report from Proofpoint.
According to a 13 March Proofpoint blog post, that the makers of the tool, BlackTDS, claim that their cloud-based TDS offers social engineering, redirection to exploit kits, and access to clean domains, while preventing detection by researchers and sandboxes.
Proofpoint reports that adversaries who use BlackTDS simply select a malware or exploit kit API of their choice; drive traffic to the service using spam, malvertising or other techniques; and then let the service do the rest of the work to facilitate the drive-by attack.
"We observed BlackTDS infection chains several times in the wild, distributing malware via fake software updates and other social engineering schemes," wrote Proofpoint researcher and blog post author "Kafeine," adding: Although identifying BlackTDS sites in the wild was relatively easy based on the presence of a distinctive favicon, effectively associating the traffic with a known actor was difficult and, in some cases, almost impossible."
Proofpoint does note that on 19 February, a threat actor it calls TA505 conducted a huge spam campaign that distributed emails with PDF attachments containing links to a chain involving BlackTDS, ultimately leading to a website claiming to sell discount pharmaceuticals. "TA505 has typically distributed ransomware and banking Trojans at enormous scale, making this particular campaign unusual," Proofpoint remarks.
"Like so many legitimate services, we are increasingly observing malicious services offered as a Service. In this case services include hosting and configuration of the components of a sophisticated drive-by, the blog post concludes. "The low cost, ease of access, and relatively anonymity of BlackTDS reduce the barriers to entry to web-based malware distribution."