The Anatomy of KTS Malicious Traffic Distribution

Recently, Forcepoint Security Labs shared information on drive-by download activity impacting a compromised website pushing visitors to an instance of the Rig Exploit Kit. They identified content on the compromised site that resulted in the inclusion of malicious redirection content from an intermediary site, and subsequently pushed visitors to the exploit kit to compromise the host and install Qakbot malware on vulnerable systems.

At RiskIQ, we love seeing coverage of malicious activity involving traffic redirection, as this is an interesting and relevant piece of the threat landscape. Most often, malicious traffic redirectors are glossed over or only lightly examined as analysts and researchers focus their attention on the weaponized payloads of the exploit kit and distributed malware loads. However, in the online crime ecosystem, traffic represents an important commodity for malicious actors, and the conversion of traffic from compromised sites, ads, and other sources is a key element in monetizing their efforts. We view this as a valuable element in intelligence gathering related to specific actors and their activity. RiskIQ views the Internet from outside the firewall, experiencing the web as end users do and uncovering attackers’ digital footprints to provide insight for our customers and partners into how threats on the Internet affect their customers and employees.

Malicious traffic distribution

The referenced post shows an indicator as a URL for the malicious redirector on

Upon review of the reported event, we recognized that the malicious redirector is a traffic distribution system (TDS) payload we track under the name KTS. This naming reflects URI patterns we’ve observed with past instances of this TDS, going back to at least the beginning of 2014. This blacklist incident report shows a similar drive-by redirection to the TDS from a compromised site in late 2014.

Because the injected URL on compromised sites is hosted on a domain pointing to a front-end proxy, attackers have the freedom to modify inbound URLs to the TDS in order to bypass detection signatures. Between November and December of 2015, the attackers did do this, shifting from an older style of injected URI path to a newer one: AS20013 | US | arin | 2001-03-14 | CYRUSONE - CyrusOne LLC

Over the course of monitoring this traffic-distribution activity, we observed several compromised sites, some with extremely persistent code injections (lasting several months at a time without remediation, or longer). The following is a sample of sites observed to have been impacted by this activity:

How is the content injected? We’ve observed that, in recent attacks, attackers select and modify a JavaScript library used on the site, often appending their obfuscated redirection stub to the library’s contents. In many cases, attackers choose the popular jQuery library, which is used by a vast number of websites on the Internet and sometimes bundled with CMS installations. At other times, attackers alter JS libraries within installed plugins. As the visitor loads the site, the browser loads the JavaScript library—along with the attacker’s redirection code—which results in hidden redirection to the desired exploit kit. In many cases, evidence of automation is readily evident, with the injected redirection code placed between delimiting comment markers, allowing attackers to to use tools to continually update the injected redirection stub and maintain a functional traffic hijack. Below is an injected script example of a compromised site:

Injected script example on compromised site

This behavior, the use of automation and the presence of delimiting markers in modified script files, is a technique that we see frequently. It points to the economy of scale that attackers can leverage as they attempt to maximize the reach of these attacks.

Domain shadowing

This malicious traffic distribution activity has another feature deserving of mention, thanks to recent attention in the security response community. The actor behind the KTS redirector regularly abuses hijacked DNS domain holder accounts, injecting rogue A records to support their own malicious name resolution, a technique known as Domain Shadowing. We have written about Domain Shadowing recently at RiskIQ, and others have as well. A sampling of past and present hostnames from KTS URLs illustrates this behavior:

This domain abuse has the following characteristics:

  • Hijacked domains are registered with GoDaddy
  • Actors started using common, discreet WWW terms such as static, cdn and img for their rogue records, but more recently shifted to smaller, two-letter names such as st and mt
  • As opposed to other actors’ abuse of hijacked domains, the KTS operators use a small number of A records (sometimes only 1-2) per affected domain, rather than hundreds or thousands of records per domain
  • Injected records typically point to hosts in the following networks:
    • AS46606 | US | UNIFIEDLAYER-AS-1 - Unified Layer
    • AS20013 | US | CYRUSONE - CyrusOne LLC

In all uses of Domain Shadowing for malicious host resolution, actors gain several advantages. In a series of future posts, will will further examine the use of Domain Shadowing amid ongoing campaigns in the web threat space, illustrating different techniques utilized by threat actors.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor