Legitimate TDS Platform Abused to Push Malware via Exploit Kits

Threat actors abused the legitimate Keitaro Traffic Direction System (TDS) to drive traffic to malware pushing RIG and Fallout exploit kits as part of both malvertising and malspam campaigns.

A TDS is a web-based gateway designed to use various criteria to redirect users to a specific online resource. Legitimate ones like Keitaro are used by advertisers to optimize their advertising campaigns and to target specific audiences but are also known to be often leveraged by threat actors for various malicious tasks.

Keitaro, for instance, provides more than 20 filters for precise web-traffic targeting, including geolocation, mobile operator, device and browser info, timetable and more.

There are also ones specifically created to be used for illicit purposes—EITest, Seamless, Sutra, BlackOS, NinjaTDS— like redirecting potential victims to exploit kits that attempt to infect them with various malware strains.

"A Traffic Direction System (TDS) is a very useful tool for an attacker who wishes to restrict the distribution of malicious content," according to Forcepoint. "An actor running a TDS can ensure that web crawlers and security vendors are unable to see anything malicious, but real browsing users are redirected to exploits and malware."

Exploit kit powered malware distribution

As security researchers at Forcepoint discovered, Keitaro was abused in campaigns designed to generate "millions of malvertising impressions and URL-based malicious messages." 

This made it almost impossible to block it or distinguish it from legitimate traffic since the TDS is also used for other purposes besides malware distribution.

"Because Keitaro also has many legitimate applications, it is frequently difficult or impossible to simply block traffic through the service without generating excessive false positives, although organizations can consider this in their own policies," Proofpoint's Q3 2019 Threat Report says.

Keitaro was used in August to funnel web traffic to Fallout or RIG EK based on each target's potential vulnerabilities and geolocation, using the browser version, the geographic location, the OS and platform, as well as the mobile carrier when available for filtering.

The malspam campaigns that leveraged Keitaro for nefarious purposes would redirect the users to malvertising sites that would infect them using one of the two exploit kits, to malicious files used to drop malware payloads, and, once in a while, to legit sites.

Once the redirected users systems got compromised, the attackers infected them with a wide range of malware strains including but not limited to AZORult (sometimes downloading ServHelper), Predator the Thief downloading some CoinMiner, KPOT, SystemBC, Osiris, Chthonic, Vidar Stealer, Amadey downloading Danabot "40," Amadey downloading Vidar, Gootkit, or Onliner.

The operators behind the Keitaro-powered campaigns followed "the trend of more complex attack chains and redirections to hide their activities and exploit multiple vectors, including exploit kits."

"We continue to proactively monitor Keitaro to improve immediate detection of abusive applications, rewriting and condemning URLs in malicious email campaigns," the Forcepoint report concludes.