Cyber-crooks find a new way to share malware and scams

Cybercrime-as-a-service takes another step forward.
Written by Danny Palmer, Senior Writer

Video: Cybercrime: Malicious hackers develop corporate culture

Yet another cybercrime-as-a-service offering is making it easier for even wannabe crooks to carry out large-scale malware campaigns.

Known as BlackTDS, the service further lowers the bar for prospective cybercriminals. It allows individuals without technical know-how to instruct the service owners to carry out highly scalable, potentially massive spam and malvertising campaigns on their behalf.

The service includes hosting and configuration of the components of a sophisticated drive-by attack, as well as support for social engineering and the flexibility to either distribute malware directly, or simply redirect victims to exploit kit landing pages.

"The low cost, ease of access, and relatively anonymity of BlackTDS reduce the barriers to entry to web-based malware distribution," said researchers at security company Proofpoint, who detailed the campaign.

Those behind BlackTDS have been advertising their services on underground markets since December 2017, offering their services for the purposes of handling social engineering and the redirection to exploit kits, while also claiming to prevent detection by cybersecurity researchers and sandbox tools.

Download now: IT leader's guide to cyberattack recovery

The adverts describe BlackTDS as offering 'dark web traffic ready-made solutions' capable of being able to use code injection on hacked websites, as well as stating that the user doesn't need to have their own server to receive traffic, meaning the service is open to even low-level criminals.

"BlackTDS handles not only the filtering and redirection but also hosts social engineering templates -- like fake Flash updates -- that can be used to trick users into clicking, downloading, and installing malware," Kevin Epstein, VP, Threat Operations Center at Proofpoint, told ZDNet.

In many cases, the malicious code is delivered to victims through fake software updates purporting to be Java, Flash, font packs, and more, as well as other social engineering schemes where the users are encouraged to download fake updates which then compromise the system.

While BlackTDS does open up drive-by campaigns to low-level actors, Proofpoint uncovered a massive campaign during mid-February which appeared to be operating on behalf of TA505, a prolific hacking group which has previously been known to deal in the Dridex banking trojan, Locky ransomware, Jaff ransomware, and more.

See also: What is malware? Everything you need to know about viruses, trojans and malicious software

However, in this instance, TA505 has used BlackTDS to conduct a massive spam campaign which directs to a website claiming to sell discount pharmaceuticals, something which is described by researchers as "an unusual departure for the group generally focused on high-volume malware campaigns".

It also goes to show that despite BlackTDS being predominantly advertised as a low-cost, easy to access service, sophisticated groups are more than happy to purchase 'as-a-service' schemes if it helps further their goals.

Recent and related coverage

Ransomware surges again, as cybercrime-as-a-service becomes mainstream for crooks

Europol report warns on increasingly professional nature of cybercrime and how the likes of WannaCry demonstrate how ransomware is eclipsing most other online crime.

Low-cost tools making cybercrime more accessible: SecureWorks

A report from the security vendor has said the increasing affordability of cybercrime tools is providing budding criminals with a low barrier of entry into the game.


Editorial standards