Uncovering a malicious traffic direction system (Blackhat-TDS)
Recently an actor has been using domains like realstatistics[.]info to direct users to exploit kits. These domains are injected as scripts into compromised websites, resulting in drive-by attacks on browsers. The domains are used as Traffic Direction Systems (TDS) which determine whether or not a target is of interest and should be sent to the malicious site or not.
What is a TDS?
A TDS is a web based gate that is able to redirect users to various content depending on who they are. A TDS is able to make a decision on where to send a user based on criteria such as their geo-location, browser, operating system, and whether or not they have been sent the malicious content already. There are many legitimate uses of TDSes, but there are also specific TDSes (Sutra, BlackOS, NinjaTDS etc.) written for malware actors.
A malicious TDS will often contain blacklists of IP ranges and ASNs that are not of interest. These blacklists systems are referred to as "anti-bot" systems and typically include security vendors, search engines, and web scanning services. This makes it difficult for web crawlers to see the malicious content, which keeps the TDS undetected for longer. If a user is not determined to be of particular interest then they may be redirected to advertising or other forms of revenue generation.
At the beginning of June we started seeing a prevalent redirection gate being used for exploit kits. The domain realstatistics[.]info was injected into many compromised websites:
The script on the malicious site then inserts an iFrame to an exploit kit (RIG or Neutrino) if the user is determined to be of interest.
Since June 4, 2016 we have seen thousands of unique hits on this domain:
We also saw another domain realstatistics[.]pro, which began to be used at the start of July:
Network traffic for the realstatistics[.]pro gate can be found on the Malware-traffic-analysis blog.
Uncovering The Infrastructure
We decide to dig a bit deeper and discovered several other domains registered by this actor:
realanalytics[.]info real-analytics[.]info istatistics[.]info adsstat[.]info siteanalytics[.]pro realanalytics[.]pro webstatistics[.]pro webstatisticspro[.]net realtds[.]info realtds[.]pro
We were able to find these by pivoting off the WHOIS information using the e-mail address firstname.lastname@example.org. We then discovered that most of the domains use realdns[.]xyz for their name-servers, which is another attacker controlled domain.
Here are 2 more e-mail addresses that have been used for registration:
The registrant names are likely to be fake but here is a list for good measure:
Oskar Elbreht Aleksei Rqbakov Dmitry Kibalchik
Identifying The TDS
We found that the domains probably have a control panel located at /admin/ but we received an "access denied" message when trying to request the page:
This might be due to IP restrictions or maybe because we are not using the full URL to the login page.
We also saw a small debug message from realstatistics[.]pro on July 3:
Forcepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:
- Stage 2 (Lure) - The injected script on compromised websites is detected .
- Stage 3 (Redirect) - The Blackhat-TDS gates are identified and blocked.
- Stage 4 (Exploit Kit) - The exploit kit landing pages, such as RIG or Neutrino, are detected and blocked.
Forcepoint technologies are able to generically detect malicious scripts and iFrames on the web, and do not rely on having to see a threat first before implementing protection.
A Traffic Direction System (TDS) is a very useful tool for an attacker who wishes to restrict the distribution of malicious content. An actor running a TDS can ensure that web crawlers and security vendors are unable to see anything malicious, but real browsing users are redirected to exploits and malware. The "realstatistics" actor recently began to set up TDS infrastructure using the Blackhat-TDS platform, using it as a pre-filter check for sending users on to exploit kits. The actor has already compromised hundreds of websites and is actively registering new domains.