Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Neutrino, RIG Using Blackhat-TDS for Redirection

Neutrino and RIG, the top exploit kits (EKs) following the sudden demise of Angler, were recently observed using a malicious Traffic Direction System (TDS) called Blackhat-TDS, Forcepoint researchers warn.

Neutrino and RIG, the top exploit kits (EKs) following the sudden demise of Angler, were recently observed using a malicious Traffic Direction System (TDS) called Blackhat-TDS, Forcepoint researchers warn.

The researchers observed that an actor started using domains like realstatistics[.]info to redirect visitors to EKs, with thousands of unique hits to this domain registered since early June. Starting with July, the realstatistics[.]pro domain also started to appear in logs, with both of them being injected as scripts into compromised websites, which results in drive-by attacks on browsers.

According to Forcepoint’s Nicholas Griffin, these domains are used as TDS, meaning that they can determine whether a target is of interest or not, thus applying selective redirection. These web-based gates redirect users to content depending on who they are, taking into consideration criteria such as geo-location, browser, operating system, and whether they’ve been already sent the malicious content.

While some of these TDSs are built for legitimate purposes, there are also those that serve malicious actors, and they often contain blacklists of IP ranges and ASNs that are not of interest. These usually include security vendors, search engines, and web scanning services, which makes it difficult for web crawlers to detect the malicious content, thus keeping the TDS up and running for longer.

The realstatistics[.]info redirection gate started being used in the beginning of June to send users to exploit kits, and researchers say that it was injected into many compromised websites. If the user is determined to be of interest, the script on the TDS inserts an iFrame to RIG or Neutrino, Griffin explains.

After the actor started using realstatistics[.]pro for similar purposes at the beginning of July, Forcepoint’s researcher started digging deeper, and he discovered numerous other domains registered by this actor: realanalytics[.]info; real-analytics[.]info; istatistics[.]info; adsstat[.]info; siteanalytics[.]pro; realanalytics[.]pro; webstatistics[.]pro; webstatisticspro[.]net; realtds[.]info; and realtds[.]pro.

The researcher also managed to associate these domains with three email addresses, namely jo.fisher000(at)gmail.com, jofisher000(at)gmail.com, and aleksei.rqbakov(ar)mail.ru. Three names also popped up, although they might be fake, the researcher says: Oskar Elbreht, Aleksei Rqbakov, and Dmitry Kibalchik. Moreover, the researcher discovered that the domains use realdns[.]xyz for their name-servers, which is another attacker controlled domain.

According to Griffin, the TDS was eventually identified as Blackhat-TDS, a malicious system that was detailed by French researcher Kafeine in 2014. The TDS emerged in December 2013 as a remake of Ninja TDS, and at the time the researcher observed it being advertised by an actor associated with many other tools.

The use of TDS to send users to malicious pages isn’t something new, especially when EKs are involved (Angler was seen abusing them before). Given that Angler’s death led to a significant drop in EK traffic, the remaining threats appear determined to use all available tools to increase their presence on the market. Last week, Forcepoint’s researchers revealed that millions of Russian users were exposed to the SmokeLoader via RIG, after a popular Q&A and social networking site was compromised.

 

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.