Threat actors abused the legitimate Keitaro Traffic Direction System (TDS) to drive traffic to malware pushing RIG and Fallout exploit kits as part of both malvertising and malspam campaigns.
A TDS is a web-based gateway designed to use various criteria to redirect users to a specific online resource. Legitimate ones like
Keitaro are used by advertisers to optimize their advertising campaigns and to target specific audiences but are also known to be often leveraged by threat actors for various malicious tasks.
Keitaro, for instance, provides more than 20 filters for precise web-traffic targeting, including geolocation, mobile operator, device and browser info, timetable and more.
There are also ones specifically created to be used for illicit purposes—EITest, Seamless, Sutra, BlackOS, NinjaTDS— like redirecting potential victims to exploit kits that attempt to infect them with various malware strains.
"A Traffic Direction System (TDS) is a very useful tool for an attacker who wishes to restrict the distribution of malicious content,"
according to Proofpoint. "An actor running a TDS can ensure that web crawlers and security vendors are unable to see anything malicious, but real browsing users are redirected to exploits and malware."
