RSA Exclusive: Try new products, meet our executive team, and see VIP guests you won't find anywhere else.

Close
X-Labs
July 5, 2016

Uncovering a malicious traffic direction system (Blackhat-TDS)

Nicholas Griffin Security Researcher

Recently an actor has been using domains like realstatistics[.]info to direct users to exploit kits. These domains are injected as scripts into compromised websites, resulting in drive-by attacks on browsers. The domains are used as Traffic Direction Systems (TDS) which determine whether or not a target is of interest and should be sent to the malicious site or not.

What is a TDS?

A TDS is a web based gate that is able to redirect users to various content depending on who they are. A TDS is able to make a decision on where to send a user based on criteria such as their geo-location, browser, operating system, and whether or not they have been sent the malicious content already. There are many legitimate uses of TDSes, but there are also specific TDSes (Sutra, BlackOS, NinjaTDS etc.) written for malware actors.

A malicious TDS will often contain blacklists of IP ranges and ASNs that are not of interest. These blacklists systems are referred to as "anti-bot" systems and typically include security vendors, search engines, and web scanning services. This makes it difficult for web crawlers to see the malicious content, which keeps the TDS undetected for longer. If a user is not determined to be of particular interest then they may be redirected to advertising or other forms of revenue generation.

"Realstatistics" Gates

At the beginning of June we started seeing a prevalent redirection gate being used for exploit kits. The domain realstatistics[.]info was injected into many compromised websites:

The script on the malicious site then inserts an iFrame to an exploit kit (RIG or Neutrino) if the user is determined to be of interest.

Since June 4, 2016 we have seen thousands of unique hits on this domain:

We also saw another domain realstatistics[.]pro, which began to be used at the start of July:

 

Network traffic for the realstatistics[.]pro gate can be found on the Malware-traffic-analysis blog.

Uncovering The Infrastructure

We decide to dig a bit deeper and discovered several other domains registered by this actor:

realanalytics[.]info
real-analytics[.]info
istatistics[.]info
adsstat[.]info
siteanalytics[.]pro
realanalytics[.]pro
webstatistics[.]pro
webstatisticspro[.]net
realtds[.]info
realtds[.]pro

We were able to find these by pivoting off the WHOIS information using the e-mail address jo.fisher000@gmail.com. We then discovered that most of the domains use realdns[.]xyz for their name-servers, which is another attacker controlled domain.

Here are 2 more e-mail addresses that have been used for registration:

jofisher000@gmail.com
aleksei.rqbakov@mail.ru

The registrant names are likely to be fake but here is a list for good measure:

Oskar Elbreht
Aleksei Rqbakov
Dmitry Kibalchik

Identifying The TDS

We found that the domains probably have a control panel located at /admin/ but we received an "access denied" message when trying to request the page:

This might be due to IP restrictions or maybe because we are not using the full URL to the login page.

We also saw a small debug message from realstatistics[.]pro on July 3:

Working with Kafeine, we were able to identify that this was Blackhat-TDS. Kafeine has previously written a great description of this TDS back in 2014.

Protection Statement

Forcepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:

  • Stage 2 (Lure) - The injected script on compromised websites is detected .
  • Stage 3 (Redirect) - The Blackhat-TDS gates are identified and blocked.
  • Stage 4 (Exploit Kit) - The exploit kit landing pages, such as RIG or Neutrino, are detected and blocked.

Forcepoint technologies are able to generically detect malicious scripts and iFrames on the web, and do not rely on having to see a threat first before implementing protection.

Summary

A Traffic Direction System (TDS) is a very useful tool for an attacker who wishes to restrict the distribution of malicious content. An actor running a TDS can ensure that web crawlers and security vendors are unable to see anything malicious, but real browsing users are redirected to exploits and malware. The "realstatistics" actor recently began to set up TDS infrastructure using the Blackhat-TDS platform, using it as a pre-filter check for sending users on to exploit kits. The actor has already compromised hundreds of websites and is actively registering new domains.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.