Web-based malware attacks via exploit kits were commonplace in 2016, although in 2017 this mode of attack fell out of favor with cybercriminals, who concentrated on spam email to deliver their malicious payloads. Exploit kit activity is now at a fraction of the level of 2016, although 2017 did see an increase in activity using the Rig and Terror exploit kits.
Now, a recent discovery by Proofpoint could see exploit kit activity start to increase once again. A new traffic distribution system is being offered on darknet marketplaces that helps cybercriminals direct users to sites hosting exploit kits and conduct web-based malware attacks.
Traffic distribution systems – also known as TDS – buy and sell web traffic and are used to direct web users from one website to another. When a user clicks on a link that is part of a TDS system, they are directed to a website without their knowledge – a website that could host an exploit kit and trigger a malware download.
The new TDS – known as BlackTDS – requires threat actors to direct traffic to the service, which then filters that traffic and directs individuals to exploit kits based on their profile data. The service maximizes the probability of the exploit kit being able to download malware onto their device. The service can also be used to determine which malware will be downloaded, based on the profile of the user.
Threat actors that sign up to use the service can inexpensively select the exploit kits and malware they want installed with all aspects of the malware distribution service handled by the developers of BlackTDS. The developers also claim their cloud-based TDS includes fresh HTTPS domains that have not been blacklisted and that it is difficult for their cloudTDS to be detected by security researchers and sandboxes.
Using spam campaigns and malvertising, threat actors can direct traffic to BlackTDS with all aspects of drive-by downloads handled by the developers. Campaigns being run using BlackTDS have been directing users to the RIG-v, Sundown, and Blackhole exploit kits which are used to download a wide range of keyloggers, ransomware, and other malware variants.
The provision of this malicious service makes it cheap and easy for threat actors to take advantage of web-based malware distribution rather than relying on spam email to spread malicious software. It also makes it clear that exploit kits are still a threat and that web-based malware attacks are likely to become more of a problem over the coming months.
To find out more about how you can protect your business from exploit kits and web-based malware attacks, contact the TitanHQ team today and ask about WebTitan.