Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Neutrino, RIG Using Blackhat-TDS for Redirection

Neutrino and RIG, the top exploit kits (EKs) following the sudden demise of Angler, were recently observed using a malicious Traffic Direction System (TDS) called Blackhat-TDS, Forcepoint researchers warn.

Neutrino and RIG, the top exploit kits (EKs) following the sudden demise of Angler, were recently observed using a malicious Traffic Direction System (TDS) called Blackhat-TDS, Forcepoint researchers warn.

The researchers observed that an actor started using domains like realstatistics[.]info to redirect visitors to EKs, with thousands of unique hits to this domain registered since early June. Starting with July, the realstatistics[.]pro domain also started to appear in logs, with both of them being injected as scripts into compromised websites, which results in drive-by attacks on browsers.

According to Forcepoint’s Nicholas Griffin, these domains are used as TDS, meaning that they can determine whether a target is of interest or not, thus applying selective redirection. These web-based gates redirect users to content depending on who they are, taking into consideration criteria such as geo-location, browser, operating system, and whether they’ve been already sent the malicious content.

While some of these TDSs are built for legitimate purposes, there are also those that serve malicious actors, and they often contain blacklists of IP ranges and ASNs that are not of interest. These usually include security vendors, search engines, and web scanning services, which makes it difficult for web crawlers to detect the malicious content, thus keeping the TDS up and running for longer.

The realstatistics[.]info redirection gate started being used in the beginning of June to send users to exploit kits, and researchers say that it was injected into many compromised websites. If the user is determined to be of interest, the script on the TDS inserts an iFrame to RIG or Neutrino, Griffin explains.

After the actor started using realstatistics[.]pro for similar purposes at the beginning of July, Forcepoint’s researcher started digging deeper, and he discovered numerous other domains registered by this actor: realanalytics[.]info; real-analytics[.]info; istatistics[.]info; adsstat[.]info; siteanalytics[.]pro; realanalytics[.]pro; webstatistics[.]pro; webstatisticspro[.]net; realtds[.]info; and realtds[.]pro.

The researcher also managed to associate these domains with three email addresses, namely jo.fisher000(at)gmail.com, jofisher000(at)gmail.com, and aleksei.rqbakov(ar)mail.ru. Three names also popped up, although they might be fake, the researcher says: Oskar Elbreht, Aleksei Rqbakov, and Dmitry Kibalchik. Moreover, the researcher discovered that the domains use realdns[.]xyz for their name-servers, which is another attacker controlled domain.

According to Griffin, the TDS was eventually identified as Blackhat-TDS, a malicious system that was detailed by French researcher Kafeine in 2014. The TDS emerged in December 2013 as a remake of Ninja TDS, and at the time the researcher observed it being advertised by an actor associated with many other tools.

Advertisement. Scroll to continue reading.

The use of TDS to send users to malicious pages isn’t something new, especially when EKs are involved (Angler was seen abusing them before). Given that Angler’s death led to a significant drop in EK traffic, the remaining threats appear determined to use all available tools to increase their presence on the market. Last week, Forcepoint’s researchers revealed that millions of Russian users were exposed to the SmokeLoader via RIG, after a popular Q&A and social networking site was compromised.

 

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.