# Drive-by as a service: BlackTDS

###### MARCH 13, 2018 Kafeine

**Overview**

Proofpoint researchers have been tracking a new Traffic Distribution System called BlackTDS
implicated in the distribution of a variety of malware. BlackTDS is a privately held tool that has
been advertising its services on underground markets since the end of December 2017.

BlackTDS offers a variety of services to its clients that they collectively refer to as a “Cloud TDS.”
The operators claim that their Cloud TDS can handle social engineering and redirection to
exploit kits (EKs) while preventing detection by bots -- namely researchers and sandoxes. Cloud
TDS also includes access to fresh domains with clean reputations over HTTPS if required.

The services offered by BlackTDS are summarized in their forum advertisements, the text of
which we have left unaltered:

_“Cloacking antibot tds based on our non-abuse servers from $3 per day of work. You do not need_
_your own server to receive traffic. API for working with exploit packs and own solutions for_
_processing traffic for obtaining installations (FakeLandings). Dark web traffic ready-made_
_solutions. Placed in 1 click hidden code to use the injection in js on any landings, including on_
_hacked websites.”_
_“Cost - $6 per day, $45 per 10 days, $90 per month, FREE place on our server, FREE hosting of_
_your file on green https:// domain. 3 DAYS FREE TEST”_

_* Cloud Antibot Traffic Management System on our non-abuse servers_

_* API for working with bundles of equities and custom solutions for processing traffic for obtaining_


-----

_* Placed in 1 click hidden code to use the injection in js on any landings including on the shells_


_What we added during the holidays:_

_* Built-in modes Iframe (a little morally outdated, but asked - we did)._

_* fake Mirosoft update (breaks the page)._

_* Fake update Jav and Fake update Flash (the page does not break, the original content is_
_visible)._

_* uploading a file from your personal account to our server._

_* Configure delay for the appearance of fake windows._

_* Auto-download when clicking on the window area._

_* Updating the Black and Geo databases from 13.01.18._

_* increased by breaking through the downloads from 6%-12% to 10%-30%._

_* added detailed statistics on users who downloaded the file._

_* autostart file in fakes._

_And this is only on holidays! We continue to work. Cloud TDS at your service_

Figure 1 shows a screen capture of the cost breakdowns and services offered by BlackTDS.

_Figure 1: Portion of a BlackTDS advertisement_

[Threat actors drive traffic to BlackTDS via spam, malvertising, and other means, set up the](https://www.proofpoint.com/us/threat-insight/post/pyramid-schemes-go-high-tech-affiliate-spam-and-malware-affiliates)
malware or EK API of their choice, and then allow the service to handle all other aspects of
malware distribution via drive-by.


-----

localization, and recent updates.


_Figure 2: BlackTDS home page_

We observed BlackTDS infection chains several times in the wild, distributing malware via fake
software updates and other social engineering schemes (Figures 3, 6-8).


-----

_Figure 3: Fake Java Plugin download associated with a BlackTDS drive-by_

_Figure 4: BlackTDS favicon that appears on all identified sites associated with the TDS_

Although identifying BlackTDS sites in the wild was relatively easy based on the presence of a
distinctive favicon (Figure 4), effectively associating the traffic with a known actor was difficult
and, in some cases, almost impossible.


-----

_Figure 5: Fake Microsoft Font Pack download associated with a BlackTDS drive-by_


-----

_Figure 6: Fake Java Plugin download associated with a BlackTDS drive-by on a typosquatted_
_domain_


-----

_@Nao_sec)_


_Figure 8: Fake Adobe Flash Player updated associated with a BlackTDS drive-by (source:_
_@Nao_sec)_

_Figure 9: Selection of events we documented involving BlackTDS_


-----

_ultimately redirected to Keitaro TDS and Grandsoft Exploit Kit_


[On February 19, we also observed a massive spam campaign from the actor TA505 with PDF](https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter)
attachments containing links to a chain involving BlackTDS before ending on a website
purporting to sell discount pharmaceuticals. TA505 has typically distributed ransomware and
banking Trojans at enormous scale, making this particular campaign unusual.

_Figure 11: HTTPS URL to BlackTDS in malspam - February 19, 2018_


-----

_Figure 12: Pharma website receiving the traffic after BlackTDS filtering_

It is worth noting that we determined which actor was operating the service itself based on an
artefact of this TDS since at least February 2017. We associate the artefact with a traffer we track
under the name “BBSindex”.

Figure 13 shows infection activity we associate with both BBSindex and BlackTDS:


-----

## 


_Figure 13: Overview of “bbsindex” traffic activity. We believe the artefact tied to BlackTDS_
_appeared between February 12-19, 2017_

BlackTDS runs on a single IP address that proved simple to track. However, at the end of
February, after being heavily flagged in many reputation services, the organization changed the


February, after being heavily flagged in many reputation services, the organization changed the


-----

_Figure 14: New BlackTDS home page, retrieved March 4, 2018_

**Conclusion**

Like so many legitimate services, we are increasingly observing malicious services offered “as a
Service.” In this case services include hosting and configuration of the components of a
sophisticated drive-by. The low cost, ease of access, and relatively anonymity of BlackTDS
reduce the barriers to entry to web-based malware distribution. With full support for social
engineering and the flexibility to either distribute malware directly or simply redirect victims to
exploit kit landing pages, BlackTDS demonstrates the continued maturation of crimeware as a
service. Moreover, it demonstrates that, despite their steady decline, EKs and web-based attacks
are not a thing of the past. On the contrary, web-based attack chains are increasingly
[incorporating social engineering, taking advantage of both existing underlying infrastructure and](https://www.proofpoint.com/us/corporate-blog/post/social-engineering-exploit-kits-web-attacks)
human fallibility rather than short-lived exploits.

**Acknowledgement:**

Thanks to @nao_sec for sharing the Japanese regionalized version of the Social Engineering
templates.


-----

blacktds[.]com Domain Customer facing
domain from
middle of
december 2017 to
end of february
2018

blacktds[.]cf Domain Customer facing
domain starting
2018-03-04

88.99.48[.]65 IP Both Victim and
Customer facing
IP from middle of
december 2017 to
end of february
2018

46.30.45[.]78 IP Both Victim and
Customer facing
IP starting 201803-04


en.sundayloop[.]com|
193.70.73[.]251


domain|IP BBSindex
redirector from
2017-02-06 till
2017-09-18
(earlier version of
BlackTDS in
private mode)


6a207ea9d9e60a9bc9de7b1c2b87e06fa85ac31cbbf8c69e1627408c8f3d2b7f SHA256 PDF attachement
with link to
blackTDS - 201802-19

###### Most recent

 6 DAYS AGO

[Leaked source code for Ammyy Admin turned into FlawedAmmyy RAT](https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat)


[Smominru Monero mining botnet making millions for operators](https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators)


-----

[Double dipping: Diverting ransomware Bitcoin payments via .onion domains](https://www.proofpoint.com/us/threat-insight/post/double-dipping-diverting-ransomware-bitcoin-payments-onion-domains)


###### 1 MONTH AGO

[Proofpoint Q4 2017 Threat Report: Coin miners and ransomware are front and center](https://www.proofpoint.com/us/threat-insight/post/proofpoint-q4-2017-threat-report-coin-miners-and-ransomware-are-front-and-center)

###### 2 MONTHS AGO

[Holiday lull? Not so much](https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much)

###### Related Links

[Ransomware Survival Guide ](https://www.proofpoint.com/us)

[Threat Reference ](https://www.proofpoint.com/us)

[Proofpoint Blog ](https://www.proofpoint.com/us)

[Threat Insight Blog ](https://www.proofpoint.com/us)

[Events ](https://www.proofpoint.com/us)

[Media Contacts ](https://www.proofpoint.com/us)


### Company Information

 [About Proofpoint](https://www.proofpoint.com/us/company/about)

 [Board of Directors](https://www.proofpoint.com/us/board-of-directors)

 [Careers](https://www.proofpoint.com/us/company/careers)

 [Corporate Blog](https://www.proofpoint.com/us/corporate-blog)

 [Investors Center](http://investors.proofpoint.com/)

 [Leadership Team](https://www.proofpoint.com/us/our-leadership-team)

 [News Center](https://www.proofpoint.com/us/news)

### Quick links

 [Daily Ruleset Summary](https://www.proofpoint.com/us/daily-ruleset-update-summary)

 [IP Address Blocked?](https://ipcheck.proofpoint.com/)

 [Threat Insight (blog)](https://www.proofpoint.com/us/threat-insight)

 [Upgrade from McAfee](https://www.proofpoint.com/us/solutions/intel-mcafee-transition)


-----

#####  See all contacts

####     

### Regions

[United States](https://www.proofpoint.com/) [United Kingdom](https://www.proofpoint.com/uk) [France](https://www.proofpoint.com/fr) [Germany](https://www.proofpoint.com/de) [Spain](https://www.proofpoint.com/es) [Japan](https://www.proofpoint.com/jp) [Australia](https://www.proofpoint.com/au)

© 2018. All rights reserved. [Privacy Policy.](https://www.proofpoint.com/us/privacy-policy)


-----