Crimeware ‘Cloud’ Takes Cues From Enterprise Services

HSBC, security, hacking

The BlackTDS malware distribution network automates attacks with ease-of-use inspired by legitimate cloud platforms

Security researchers have uncovered an elaborate crimeware scheme that takes its cues from the latest trends in enterprise computing, offering its range of illegal measures over an automated, cloud-based platform.

The BlackTDS traffic distribution system (TDS) allows users to distribute malware using various social engineering techniques, for instance disguising it as an update to Adobe Flash or Java or a fake Microsoft Font Pack.

The system makes use of malicious web domains that look similar to well-known ones – a practice known as typosquatting – and uses infected ads and spam to help spread its clients’ wares, according to security firm Proofpoint.

Potential BlackTDS customers are assured they will have access to fresh domains with clean reputations and can use the secure HTTPS protocol if need be.

An advertisement for BlackTDS. Credit: Proofpoint

Crimeware ‘as a service’

Criminals can use the tool to either directly distribute the malware of their choice or lead targets to an exploit kit that handles the infection process for them, Proofpoint found.

Those behind the system, which has its own favicon, refer to it in their adveritsing as a “Cloud TDS”.

“You do not need your own server to receive traffic,” reads a forum advert for BlackTDS uncovered by Proofpoint. “API for working with exploit packs and own solutions for processing traffic for obtaining installations (FakeLandings). Dark web traffic ready-made solutions.”

The advert lists new features added over the Christmas holidays, including download improvements and personalisation options.

BlackTDS is notable for its high degree of automation and ease-of-use, Proofpoint said.

“Threat actors drive traffic to BlackTDS via spam, malvertising, and other means, set up the malware or EK API of their choice, and then allow the service to handle all other aspects of malware distribution via drive-by,” the company said in an advisory.

Proofpoint said the system has been active since the end of last year, and attributed it to a known hacker or hacker group that has previously been associated with the distribution of “ransomware and banking Trojans at enormous scale”.

The firm said BlackTDS is a good example of the way that crimeware enterprises are becoming increasingly mature, developing their technology along the same lines as that used by legitimate businesses.

“The low cost, ease of access, and relatively anonymity of BlackTDS reduce the barriers to entry to web-based malware distribution,” Proofpoint wrote.

The crimeware network also shows that web-based exploits and exploit kits are not a thing of the past, but are instead increasingly incorporating social engineering techniques.

Those methods make them all the more difficult to defend against, because they take advantage not only of existing technology, but also “human fallibility”, Proofpoint said.

Do you know all about biometrics and security? Try our quiz!