BlackTDS Traffic Distribution System for Malware Offered as a Service in the Dark Web

Security researchers uncovered a traffic distribution system (TDS) being advertised as a service in the dark web. The TDS being peddled, which they named “BlackTDS,” is then used to deploy malware and redirect would-be victims to exploit kits.

BlackTDS’ owners offer the service from $6 per day, $45 for 10 days or $90 per month. BlackTDS is also offered for a three-day trial and flaunts multifarious capabilities such as: built-in iframe modes, automatic download and installation of the malware, and means of uploading their malware from a personal account to the peddlers’ servers.

[READ: Bulletproof Hosting Services: Cybercriminal Hideouts for Lease]

Here’s what you need to know about BlackTDS:

What is a traffic distribution system?

Traffic distribution systems serve as middlemen that buy and sell traffic between websites. TDSs’ main functions include controlling and filtering web traffic (clicking a link), and collecting related statistics. They can filter traffic based on the cybercriminal’s preference, such as a user’s web browser and location (via IP address, etc.).

For example, a cybercriminal will set parameters in a TDS to redirect users in the U.S. to banking Trojans but deliver ransomware to other countries, and avoid deploying their malware to the Commonwealth of Independent States (CIS). Traffic distribution systems are a staple for distributing malware via exploit kits and drive-by downloads, and can act as a service for mass-marketing malware. TDS vendors sell the traffic from when a victim clicks on a link.

[READ: Exploits as a Service: How the Exploit Kit + Ransomware Tandem Affects a Company’s Bottom Line]

How does BlackTDS work?

BlackTDS’ owners peddle their service as ‘Cloud TDS,’ which they say customers can easily deploy and configure. The researchers explained, “The operators claim that their Cloud TDS can handle social engineering and redirection to exploit kits (EKs) while preventing detection by bots — namely researchers and sand[b]oxes. BlackTDS also includes access to fresh domains with clean reputations over HTTPS if required.”

Some of the threats BlackTDS was observed to deliver include: ransomware, cryptocurrency-mining malware, point-of-sale malware and keyloggers. These were reportedly distributed through fake software updates and other social engineering lures.

In a recent spam campaign, the researchers saw the cybercriminal group TA505 employ PDF documents that contain links to BlackTDS. The group was notorious for delivering banking Trojans and ransomware.

[READ: Ransomware as a Service Offered in the Deep Web: What This Means for Enterprises]

What can users and organizations do against BlackTDS?

While exploit kit-related activities may still be declining, do-it-yourself products or services like BlackTDS are still finding a niche. By further lowering barriers of entry to cybercriminals (regardless of technical knowhow), the stakes go higher as more threats are released to unwitting users and organizations. They are no less of a threat: web-based attacks, for instance, are seeing increasing prevalence in malicious cryptocurrency mining. Here are some best practices:

Trend Micro™ Deep Security™, Vulnerability Protection, and TippingPoint provide virtual patching that protects endpoints from threats that abuse unpatched vulnerabilities. Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security protect end users and businesses from threats by detecting and blocking malicious files and all related URLs. Trend Micro™ Smart Protection Suites deliver several capabilities like high fidelity machine learning, web reputation services, behavior monitoring, and application control that minimize the impact of threats that may be delivered by BlackTDS.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.