Recently, Forcepoint Security Labs shared information on drive-by download activity impacting a compromised website pushing visitors to an instance of the Rig Exploit Kit. They identified content on the compromised site that resulted in the inclusion of malicious redirection content from an intermediary site, and subsequently pushed visitors to the exploit kit to compromise the host and install Qakbot malware on vulnerable systems.
At RiskIQ, we love seeing coverage of malicious activity involving traffic redirection, as this is an interesting and relevant piece of the threat landscape. Most often, malicious traffic redirectors are glossed over or only lightly examined as analysts and researchers focus their attention on the weaponized payloads of the exploit kit and distributed malware loads. However, in the online crime ecosystem, traffic represents an important commodity for malicious actors, and the conversion of traffic from compromised sites, ads, and other sources is a key element in monetizing their efforts. We view this as a valuable element in intelligence gathering related to specific actors and their activity. RiskIQ views the Internet from outside the firewall, experiencing the web as end users do and uncovering attackers’ digital footprints to provide insight for our customers and partners into how threats on the Internet affect their customers and employees.
Malicious traffic distribution
The referenced post shows an indicator as a URL for the malicious redirector on sc.gandhiprobably.com: http://sc.gandhiprobably.com/jqjkviewforumlpaqt.ph...
Upon review of the reported event, we recognized that the malicious redirector is a traffic distribution system (TDS) payload we track under the name KTS. This naming reflects URI patterns we’ve observed with past instances of this TDS, going back to at least the beginning of 2014. This blacklist incident report shows a similar drive-by redirection to the TDS from a compromised site in late 2014.
Because the injected URL on compromised sites is hosted on a domain pointing to a front-end proxy, attackers have the freedom to modify inbound URLs to the TDS in order to bypass detection signatures. Between November and December of 2015, the attackers did do this, shifting from an older style of injected URI path to a newer one:
220.127.116.11 AS20013 | US | arin | 2001-03-14 | CYRUSONE - CyrusOne LLC
Over the course of monitoring this traffic-distribution activity, we observed several compromised sites, some with extremely persistent code injections (lasting several months at a time without remediation, or longer). The following is a sample of sites observed to have been impacted by this activity:
This behavior, the use of automation and the presence of delimiting markers in modified script files, is a technique that we see frequently. It points to the economy of scale that attackers can leverage as they attempt to maximize the reach of these attacks.
This malicious traffic distribution activity has another feature deserving of mention, thanks to recent attention in the security response community. The actor behind the KTS redirector regularly abuses hijacked DNS domain holder accounts, injecting rogue A records to support their own malicious name resolution, a technique known as Domain Shadowing. We have written about Domain Shadowing recently at RiskIQ, and others have as well. A sampling of past and present hostnames from KTS URLs illustrates this behavior:
This domain abuse has the following characteristics:
- Hijacked domains are registered with GoDaddy
- Actors started using common, discreet WWW terms such as static, cdn and img for their rogue records, but more recently shifted to smaller, two-letter names such as st and mt
- As opposed to other actors’ abuse of hijacked domains, the KTS operators use a small number of A records (sometimes only 1-2) per affected domain, rather than hundreds or thousands of records per domain
- Injected records typically point to hosts in the following networks:
- AS46606 | US | UNIFIEDLAYER-AS-1 - Unified Layer
- AS20013 | US | CYRUSONE - CyrusOne LLC
In all uses of Domain Shadowing for malicious host resolution, actors gain several advantages. In a series of future posts, will will further examine the use of Domain Shadowing amid ongoing campaigns in the web threat space, illustrating different techniques utilized by threat actors.