Threat Management, Network Security

BlackTDS offering lets cybercriminals purchase drive-by attacks as a service

The makers of a new "Traffic Distribution System" that performs malicious drive-by attacks as a service to paying cybercriminals have been advertising their product in underground online markets since December last year, according to a new report from Proofpoint.

Since December 2017, dark web markets have been displaying advertisements for a new "Traffic Distribution System" called BlackTDS that performs malicious drive-by attacks as a service to paying cybercriminals, according to a new report from Proofpoint.

A new "Traffic Distribution System" that performs malicious drive-by attacks as a service to paying cybercriminals has been appearing in ads on dark web markets and forums since December of last year, researchers with Proofpoint have reported.

According to a Mar. 13 Proofpoint blog post, that the makers of the tool, BlackTDS, claim that their cloud-based TDS offers social engineering, redirection to exploit kits, and access to clean domains, while preventing detection by researchers and sandboxes.

Proofpoint reports that adversaries who use BlackTDS simply select a malware or exploit kit API of their choice; drive traffic to the service using spam, malvertising or other techniques; and then let the service do the rest of the work to facilitate the drive-by attack.

"We observed BlackTDS infection chains several times in the wild, distributing malware via fake software updates and other social engineering schemes," wrote Proofpoint researcher and blog post author "Kafeine," adding: Although identifying BlackTDS sites in the wild was relatively easy based on the presence of a distinctive favicon, effectively associating the traffic with a known actor was difficult and, in some cases, almost impossible."

Proofpoint does note that on Feb. 19, a threat actor it calls TA505 conducted a huge spam campaign that distributed emails with PDF attachments containing links to a chain involving BlackTDS, ultimately leading to a website claiming to sell discount pharmaceuticals. "TA505 has typically distributed ransomware and banking Trojans at enormous scale, making this particular campaign unusual," Proofpoint remarks.

"Like so many legitimate services, we are increasingly observing malicious services offered as a Service. In this case services include hosting and configuration of the components of a sophisticated drive-by, the blog post concludes. "The low cost, ease of access, and relatively anonymity of BlackTDS reduce the barriers to entry to web-based malware distribution."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.