CyberWire Daily - BlackTDS and ThreadKit offered in criminal markets. [Research Saturday]
Episode Date: May 5, 2018Kevin Epstein is Vice President of Proofpoint's Threat Operations Center. We’re discussing two bits of research with him today. The first is about BlackTDS, a traffic distribution tool for sale in ...dark web markets. A little later in the show, he’ll tell us about ThreadKit, a document exploit builder.  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making
apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps,
not the entire network, continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
This is something that has been advertising in the markets since the end of December.
That's Kevin Epstein, Vice President of Proofpoint's Threat Operations Center.
We're discussing two bits of research with him today. The first is Black TDS, That's Kevin Epstein, vice president of Proofpoint's Threat Operations Center.
We're discussing two bits of research with him today. The first is BlackTDS, a traffic distribution tool for sale in dark web markets.
A little later in the show, he'll tell us about ThreadKit, a document exploit builder.
But first, more on BlackTDS.
TDS. Traffic direction systems, TDSs, are systems that can look at your browser and the place you're coming from and effectively, in legitimate uses, choose to then show you
different ads or different web pages based on your locale and your system. This makes great
sense in a legal standpoint. You'd want to see different web pages on your locale and your system. This makes great sense in a legal standpoint.
You'd want to see different web pages on your mobile device versus your laptop, for example.
But unfortunately, in this scenario, it's being used for illegitimate purposes. In other words, people are being lured to click on a link and then redirected to a site that will do malicious things to them
based on their device. So take us through exactly what are they offering for sale here
on these dark web markets? So the primary service, BlackTDS, is just this routing service. Think of
it as a procurement service where someone stops you in
the street, assesses you, understands where your wallet is, and then directs you to the appropriate
venue to be mugged, pickpocketed, or whatever. The various sites that people are directed to
range from those that attempt to load ransomware onto systems or software that can monitor keystrokes
or software that can intercept usernames and passwords. Really, the sky's the limit.
If I'm a bad guy looking to set up my service, the bad things I want to do,
what part of that will this play? Is this just one of the components that I need,
or are these folks offering kind of a soup-to-nuts service?
This is one of the several components, and again, to use a physical world analogy,
if you want to extract money from people, there are lots of ways of doing that illegally,
some more subtle, like pickpocketing, some more obvious and direct, like kidnapping you and holding you for ransom.
The attackers have to choose their weapon of choice, if you will. Are they going to con you
by sending you to a fake pharmacy page and persuading you to pay money for fake drugs?
Are they going to be more direct, send you to a page that loads ransomware on your computer and
holds your computer for hostage? Are they going to be sneaky spies and send you to a page that loads ransomware on your computer and holds your computer for hostage? Are they going to be sneaky spies and send you to a page that sneaks a spyware
onto your computer and then captures usernames and passwords to your bank account? So they need
to choose their weapon. And then they also lease this service that, again, acts like a procurement agent, sort of standing out in a
safe place and routing people accordingly based on their susceptibility to these different weapons,
to these different attacks. And so from a basic point of view, how would I find myself
routed by this tool? The bad news is you'd probably never know. So imagine yourself browsing the web if you click the wrong
advertisement or in an email, there might be an email solicitation for something interesting and
you click the link and instead of taking you to what you thought was a legitimate site, your tour
guide has offered to give you a tour of the back alleys, and instead of an
interesting new site, you end up in a very dangerous place. And sometimes you may not even
realize it. Sometimes the attack is performed as what's called a drive-by, meaning you'd click the
link. The link would say, come visit this new travel site. Your browser would open. In the background, as your browser attempted to load
the site, the TDS would, the traffic direction system, would send you your browser to a site
that would load some nasty things onto your system and then on to the legitimate travel site. The
only difference would be perhaps a second or two in end page load time. Now, when you say nasty stuff that might load on my system, what are we typically talking about here?
So in a so-called drive-by download or a web-based attack, you might see anything loaded on your,
again, your laptop or your cell phone, ranging from the very obvious ransomware. I think at this point everyone's
unfortunately familiar with the concept of happily browsing the web and suddenly your system locks up
and displays a screen that says all of your files have been encrypted, please pay us money to get
them back. Or you might encounter something far more subtle. You might never know that something had been loaded on your system,
but behind the scenes, it was capturing your bank account username and password.
And the first time you recognize this is when you log into your bank account and your balance has
been reduced to six cents. And the bank happily informs you that you transferred a large sum of
money to a place you've never heard of.
Can you take us through what are some of the pop-ups that they're serving up with the service?
So one of the things just in general, web browsing that people should be suspicious of is that often attackers need your assistance to complete the attack. So as you browse the web, a pop-up might say, gosh, we haven't found a Java
plugin, Java 8.0, or you're missing a Windows font pack.vbs, or gosh, you don't have the latest
antivirus or spyware protection, ironically enough. Click this pop-up to install that,
or the Adobe Flash player. You're missing the appropriate player. Click to install.
In general, anytime you see a pop-up, it's much safer to close the browser window,
go directly to the supposed vendor site. So, for example, if it says your Adobe is out of date,
close that window. Go visit Adobe's website.
Make sure you're up to date with their latest player from their website.
And then go back to the page.
If it's still popping up an error, gosh, you might not want to be there.
Right.
Now, you are also seeing some spam campaigns.
They were taking people to pharmaceutical sites, things like that?
Absolutely. So if your
browser is judged by the attacker's traffic direction system as being really well protected,
well locked down, they're not going to give up on you. They'll still try and extract money via
social tactics versus direct binary tactics. We have seen a number of generic pharmacy sites attempting to sell people
so-called generic Viagra or the super discount pack of Viagra. Again, we've not personally
tested this, but a number of us have a reasonable degree of suspicion that if you put your credit
card in, you would not actually be receiving the products advertised
and certainly not any form of Viagra.
So really just put up there to harvest your credit card information.
And charge you money, exactly.
Right, right.
So what are your recommendations for how people can protect themselves against this?
So in general, we tend to urge the same thing that
one would say to anyone approaching a big city, which is, number one, be reasonably cautious and
use common sense. And number two, you still want to lock your door at night. Translated for
computers, number one, if something looks too good to be true, if a website is popping up things it
wants you to accept, anytime anything asks you to click to enable, click to install, click to accept,
be very suspicious right there. In addition, again, on the locking your door theme,
be sure that you have both individual protection on your computer in the sense of antivirus software and malware protection software,
and that if you're working within an organization, that it, of course, also has defenses as well for the organization in terms of inbound email and or web browsing.
Again, I think the most important thing is probably the hardest to quantify, which is that most of the successful attacks we see these days depend on the target person, us, your cooperation with the attacker.
The attackers have gotten quite good at social engineering to encourage all of us to click.
If we were all sufficiently suspicious, the infection rates and compromise
rates would be radically reduced. If you open an office document and it says click to enable,
don't. If you are, again, visiting a website and it asks you to install a plugin, download something,
enable something, you may be enabling the attacker
more than you are enabling your web experience.
So really, really do encourage people to recognize
that the internet is a big city.
We are but tourists.
Let us exercise caution accordingly.
Yeah, it's an interesting analogy.
I want to switch gears with you a little bit
and touch on another bit of research
that you
all have been working on at Proofpoint. This was called Unraveling Threadkit. Can you give us a
description? What were you working on here? Threadkit is one of the useful things for
attackers, not so great for the rest of us. As we've talked about in the past, if you are an
attacker, you need a lot of pieces of your attack.
Just like the physical world, again, if you're going to go rob a bank, you're going to need a getaway card.
You're going to need some weaponry, disguises, maybe a safe cracking set of tools.
If you are a cyber attacker, you're going to need a way to deliver your threat.
going to need a way to deliver your threat. You're going to need the actual malware or software that gets into someone's computer, and then the software that sits on their computer and reports
back to you, steals their password, etc. These things are possible to put together yourself,
but attackers have made a multi-level business out of this. And so ThreadKit
is a way of very quickly building hostile Microsoft documents to be attached to email and
delivered to you as an end user, which then installed nasty things.
Describe to us what has the campaign been with ThreadKit, and how exactly does it work?
If you picture yourself as an innocent end user, you, if you're unlucky, will occasionally receive emails,
possibly even purporting to be from people you know, with a very important document attached,
perhaps an invoice or a, you know, open this quickly, it's a legal notice, etc.
When you double-click that document, it opens and may or may not display an enable button,
but usually will have either some statement about Microsoft
Word has encountered a problem and needs to close, or it's a blank document. It's not what you were
expecting. Meanwhile, in the background, malware is being installed thanks to your clicking on
that document and starting the installation process. The ThreadKit kit is a kit for an attacker. Think of it as
a toolkit where they enter certain choices
and the kit then
produces as output this type of evil
Word document or evil attachment for email.
So, you know, click, yeah, that's interesting.
So you can choose from column A, choose from column B,
depending on what you're trying to set out to do with the people you're looking to victimize.
Exactly. And you don't need to write sophisticated computer code.
You don't need to be a hardcore engineer.
If you too want to send people nasty malware, you can do it at the click of a button.
There was an interesting thing that you all noticed, digging into some of the technical details.
In October of 2017, you all discovered an interesting technique that this uses to locate a parent document to avoid hard coding it.
Can you dig into what exactly was going on here?
If you want to get malware in someone's computer,
the hard way to do it is to pack it all into one big document.
Think of showing up at someone's door where you want to sneak something into their house.
If you're carrying a suitcase, it's a lot easier to spot you,
especially if the suitcase has the same writing on it all the time on
the side in big red letters.
You know, this is dangerous.
All you need to do is train people or in this case, antivirus programs to look for that
signature and they'll stop it.
What the ThreadKit builders did was create effectively sort of a small briefcase with a callout that in a very smart way then figures out how to reach back outside and grab the rest of the things it needs and load them in by itself.
Specifically, it can change the name
of what it's looking for. So again, if you're an antivirus program, it's more challenging to
spot this happening, to find a so-called signature for the bad stuff being loaded.
So again, in terms of people protecting themselves against this sort of thing is it really a standard
looking out for for rogue microsoft office documents yes and at the same time hardly
that simple so on the one side absolutely if if none of us ever opened email attachments
the relative infection rate would probably drop. But of course, as part of business, we send each other email with document attachments all the time.
Part of it is social engineering. Again, if you receive something from someone where you were not
expecting an attachment, or if you open an attachment and it does something unexpected,
open an attachment and it does something unexpected, it claims that it encountered a problem or it asks you to enable macros or something like that, then you should be suitably suspicious
and report it to IT immediately.
That said, because documents will be sent, because documents will be opened, it is also
necessary to have both on your local system software that looks for suspicious behavior
and outside of your system software that is examining the network traffic to and from your
computer so that when if you get infected by one of these things and it tries to load more malware
onto your system that behavior can behavior can be observed and blocked.
So looking at the big picture with these malware as a service offerings, what do you think
that this indicates?
I mean, a couple of things strike me.
First of all, that the bad guys, rather than doing the bad things themselves, are selling
these kits to do the bad things.
That's interesting.
But then also, I guess the cost of entry to be able to do these things has gone way down
because other people are willing to step up and do the technical work for you.
Absolutely correct.
Make no mistake, cybercrime is a huge business.
cybercrime is a huge business. It is a sophisticated, multi-level,
comparable to any major entity or entities around the world business. They have supply chains,
just as a large company would depend on specialty manufacturers for certain elements,
so do the attackers. There are folks who specialize in creating malware.
There are folks who specializing in building kits. There are folks who specialize in the emailing of large volumes of email, folks who specialize in creating target lists of potential recipients,
you name it. Again, this is all about the money. If you want to know attack trends, just apply the same rules as you would to any business.
Look for the best return on your investment.
For instance, when ransomware emerged, it provided a very high return relative to other types of attacks.
It was relatively simple malware to create.
It did not require lots of targeting, and it was direct money from each recipient.
As people grew better at blocking ransomware, and as people grew more cynical about paying
the ransoms, not believing they would get their files back, the return on that investment dropped
for attackers, and we saw a commensurate fall in ransomware and increases in other forms of malwares, such as cyber currency miners.
I would, again, simply back to your comment about business.
I would emphasize cyber crime is a business.
If you can make it more expensive for the cyber criminal to successfully attack you versus the next possible target, you will be reasonably successful in your defense.
Just like living in a big city, it's not about making your apartment invulnerable. It's about
making it harder to break into than an easier target. That's that old joke about if you and
I are being chased by a bear, I don't have to outrun the bear. I just have to outrun you.
The bear theory unfortunately applies to the world of security. It is true.
Our thanks to Kevin Epstein from Proofpoint for joining us.
You can learn more about BlackTDS and ThreadKit on the Proofpoint website.
It's in their blog section. is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday
is proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is
Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Valecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. Thank you.