Neutrino and RIG, the top exploit kits (EKs) following the sudden demise of Angler, were recently observed using a malicious Traffic Direction System (TDS) called Blackhat-TDS, Forcepoint researchers warn.
The researchers observed that an actor started using domains like realstatistics[.]info to redirect visitors to EKs, with thousands of unique hits to this domain registered since early June. Starting with July, the realstatistics[.]pro domain also started to appear in logs, with both of them being injected as scripts into compromised websites, which results in drive-by attacks on browsers.
According to Forcepoint’s Nicholas Griffin, these domains are used as TDS, meaning that they can determine whether a target is of interest or not, thus applying selective redirection. These web-based gates redirect users to content depending on who they are, taking into consideration criteria such as geo-location, browser, operating system, and whether they’ve been already sent the malicious content.
While some of these TDSs are built for legitimate purposes, there are also those that serve malicious actors, and they often contain blacklists of IP ranges and ASNs that are not of interest. These usually include security vendors, search engines, and web scanning services, which makes it difficult for web crawlers to detect the malicious content, thus keeping the TDS up and running for longer.
The realstatistics[.]info redirection gate started being used in the beginning of June to send users to exploit kits, and researchers say that it was injected into many compromised websites. If the user is determined to be of interest, the script on the TDS inserts an iFrame to RIG or Neutrino, Griffin explains.
After the actor started using realstatistics[.]pro for similar purposes at the beginning of July, Forcepoint’s researcher started digging deeper, and he discovered numerous other domains registered by this actor: realanalytics[.]info; real-analytics[.]info; istatistics[.]info; adsstat[.]info; siteanalytics[.]pro; realanalytics[.]pro; webstatistics[.]pro; webstatisticspro[.]net; realtds[.]info; and realtds[.]pro.
The researcher also managed to associate these domains with three email addresses, namely jo.fisher000(at)gmail.com, jofisher000(at)gmail.com, and aleksei.rqbakov(ar)mail.ru. Three names also popped up, although they might be fake, the researcher says: Oskar Elbreht, Aleksei Rqbakov, and Dmitry Kibalchik. Moreover, the researcher discovered that the domains use realdns[.]xyz for their name-servers, which is another attacker controlled domain.
According to Griffin, the TDS was eventually identified as Blackhat-TDS, a malicious system that was detailed by French researcher Kafeine in 2014. The TDS emerged in December 2013 as a remake of Ninja TDS, and at the time the researcher observed it being advertised by an actor associated with many other tools.
The use of TDS to send users to malicious pages isn’t something new, especially when EKs are involved (Angler was seen abusing them before). Given that Angler’s led to a significant drop in EK traffic, the remaining threats appear determined to use all available tools to increase their presence on the market. Last week, Forcepoint’s researchers revealed that millions of Russian users were exposed to the SmokeLoader via RIG, after a popular Q&A and social networking site was compromised.