Research Saturday 5.5.18
Ep 34 | 5.5.18

BlackTDS and ThreadKit offered in criminal markets.


Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by the Hewlett Foundation's Cyber Initiative. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:26] And now, a moment to tell you about our sponsor, the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyber threats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges for the benefit of societies around the world. Learn more at

Dave Bittner: [00:01:02] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Kevin Epstein: [00:01:42] This is something that has been advertising on the markets since the end of December.

Dave Bittner: [00:01:46] That's Kevin Epstein, Vice President of Proofpoint's Threat Operations Center. We're discussing two bits of research with him today. The first is BlackTDS, a traffic distribution tool for sale in Dark Web markets. A little later in the show, he'll tell us about ThreadKit, a document exploit builder. But first, more on BlackTDS.

Kevin Epstein: [00:02:07] Traffic direction systems, TDSs, are systems that can look at your browser and the place you're coming from, and effectively, in legitimate uses, choose to then show you different ads or different web pages based on your locale and your system. This makes great sense in a legal standpoint; you'd want to see different web pages on your mobile device versus your laptop, for example. But unfortunately, in this scenario, it's being used for illegitimate purposes. In other words, people are being lured to click on a link, and then redirected to a site that will do malicious things to them based on their device.

Dave Bittner: [00:02:56] So, take us through exactly, what are they offering for sale here on these dark web markets?

Kevin Epstein: [00:03:04] So, the primary service, BlackTDS, is just this routing service. Think of it as a procurement service, where someone stops you in the street, assesses you, understands where your wallet is, and then directs you to the appropriate venue to be mugged, pickpocketed, or whatever. The various sites that people are directed to range from those that attempt to load ransomware onto systems, or software that can monitor keystrokes, or software that can intercept usernames and passwords. Really, the sky's the limit.

Dave Bittner: [00:03:41] If I'm a bad guy looking to set up my service, you know, the bad things I want to do, what part of that will this play? Is this just one of the components that I need, or are these folks offering kind of a "soup to nuts" service?

Kevin Epstein: [00:03:55] This is one of the several components and, again, to use a physical world analogy, if you want to extract money from people there are lots of ways of doing that illegally. Some more subtle, like pickpocketing, some more obvious and direct, like kidnapping you and holding you for ransom. The attackers have to choose their their weapon of choice, if you will. Are they going to con you by sending you to a fake pharmacy page and persuading you to pay money for fake drugs? Are they going to be more direct and send you to a page that loads ransomware on your computer and holds your computer for hostage? Are they going to be sneaky spies and send you to a page that sneaks spyware onto your computer, and then captures usernames and passwords to your bank account?

Kevin Epstein: [00:04:41] So, they need to choose their weapon, and then they also lease this service that, again, acts like a procurement agent, sort of standing out in a safe place and routing people accordingly based on their susceptibility to these different weapons, to these different attacks.

Dave Bittner: [00:04:59] And so, from a basic point of view, how would I find myself routed by this tool?

Kevin Epstein: [00:05:05] The bad news is you'd probably never know. So, imagine yourself browsing the web, and if you click the wrong advertisement, or in an email, there might be an email solicitation for something interesting and you click the link, and instead of taking you to what you thought was a legitimate site, your tour guide has offered to give you a tour of the back alleys, and instead of an interesting new site, you end up in a very dangerous place.

Kevin Epstein: [00:05:36] And sometimes you may not even realize it. Sometimes the attack is performed as what's called a "drive-by," meaning you'd click the link, the link would say, "come visit this new travel site," your browser would open in the background. As your browser attempted to load the site, the TDS would, the traffic direction system would send you, your browser, to a site that would load some nasty things onto your system, and then on to the legitimate travel site. The only difference would be perhaps a second or two in end-page load time.

Dave Bittner: [00:06:10] Now, when you say nasty stuff that might load on my system, what are we typically talking about here?

Kevin Epstein: [00:06:16] So, in a so-called drive-by download, or in a web-based attack, you might see anything loaded on your, again, your laptop or your cellphone, ranging from the very obvious ransomware. I think at this point everyone's unfortunately familiar with the concept of happily browsing the web and suddenly your system locks up, and displays a screen that says, "all of your files been encrypted, please pay us money to get them back.".

Kevin Epstein: [00:06:44] Or you might encounter something far more subtle. You might never know that something had been loaded on your system, but behind the scenes, it was capturing your bank account username and password. And the first time you recognize this is when you log into your bank account, and your balance has been reduced to six cents, and the bank happily informs you that you transferred a large sum of money to a place you've never heard of.

Dave Bittner: [00:07:12] Can you take us through, what are some of the pop-ups that they're serving up with this service?

Kevin Epstein: [00:07:17] So, one of the things just in general web browsing that people should be suspicious of is that, often, attackers need your assistance to complete the attack. So, as you browse the web, a pop-up might say, gosh, we haven't found a Java plugin, Java 8.0, or you're missing a Windows font pack .vbs, or, gosh, you don't have the latest antivirus or spyware protection, ironically enough, click this pop-up to install that, or the Adobe Flash Player, you're missing the appropriate player, click to install.

Kevin Epstein: [00:07:57] In general, any time you see a pop-up, it's much safer to close the browser window, go directly to the supposed vendor's site. So, for example, if it says your Adobe is out of date, close that window. Go visit Adobe's website. Make sure you're up to date with their latest player from their website, and then go back to the page. If it's still popping up an error, gosh, you might not want to be there.

Dave Bittner: [00:08:22] Right. Now, you were also seeing some spam campaigns that were taking people to pharmaceutical sites, things like that?

Kevin Epstein: [00:08:31] Absolutely. So, if your browser is judged by the attacker's traffic direction system as being really well-protected, well-locked down, they're not going to give up on you. They'll still try and extract money via social tactics versus direct binary tactics. We have seen a number of generic pharmacy sites attempting to sell people so-called generic Viagra or the Super Discount pack of Viagra. Again, we've not personally tested this, but a number of us have a reasonable degree of suspicion that, if you put your credit card in, you would not actually be receiving the products advertised, and certainly not any form of Viagra.

Dave Bittner: [00:09:16] So, really, just put up there to harvest your credit card information.

Kevin Epstein: [00:09:20] And charging money. Exactly.

Dave Bittner: [00:09:23] Right, right. So, what are your recommendations for how people can protect themselves against this?

Kevin Epstein: [00:09:28] So, in general, we tend to urge the same thing that one would say to anyone approaching a big city, which is, number one, be reasonably cautious and use common sense. And number two, you still want to lock your door at night. Translated for computers, number one, if something looks too good to be true, if a website is popping up things it wants you to accept, any time anything asks you to click to enable, click to install, click to accept, be very suspicious right there.

Kevin Epstein: [00:10:04] In addition, again, on that "locking your door" theme. Be sure that you have both individual protection on your computer in the sense of antivirus software and malware protection software, and that, if you're working within an organization, that it of course also has defenses as well for the organization, in terms of inbound email and/or web browsing.

Kevin Epstein: [00:10:26] Again, I think that the most important thing is probably the hardest to quantify, which is that most of the successful attacks we see these days depend on the targeted person, us, your cooperation with the attacker. The attackers have gotten quite good at social engineering, to encourage all of us to click. If we were all sufficiently suspicious, the infection rates and compromise rates would be radically reduced. If you open an office document and it says "click to enable," don't.

Kevin Epstein: [00:11:00] If you are, again, visiting a website and it asks you to install a plugin, download something, enable something, you may be enabling the attacker more than you are enabling your web experience. So really, really, do encourage people to recognize that the Internet is a big city. We are but tourists. Let us exercise caution accordingly.

Dave Bittner: [00:11:24] Yeah, that's an interesting analogy. I want to switch gears with you a little bit and touch on another bit of research that you've all been working on a Proofpoint. This is called "Unraveling ThreadKit." Can you give us a description, what were you working on here?

Kevin Epstein: [00:11:38] ThreadKit is one of the useful things for attackers, not so great for the rest of us. As we've talked about in the past, if you are an attacker, you need a lot of pieces of your attack. Just like the physical world, again, if you're going to go rob a bank, you're going to need a getaway car, you need some weaponry, disguises, and maybe a safe-cracking set of tools. If you are a cyber attacker, you're going to need a way to deliver your threat. You're going to need the actual malware or software that gets into someone's computer, and then the software that sits on their computer and reports back to you, and steals their passwords, et cetera.

Kevin Epstein: [00:12:23] These things are possible to put together yourself, but attackers have made a multilevel business out of this. And so, ThreadKit is a way of very quickly building a hostile Microsoft documents to be attached to email and delivered to you as an end-user, which then install nasty things.

Dave Bittner: [00:12:52] Describe to us, what has the campaign been with ThreadKit, and how exactly does it work?

Kevin Epstein: [00:12:58] If you picture yourself as innocent end-user, you, if you're unlucky, will occasionally receive e-mails, possibly even purporting to be from people you know, with a very important document attached. Perhaps an invoice, or a, you know, open this quickly, it's a legal notice, et cetera. When you double-click that document, it opens, and may or may not display an enable button, but usually will have either some statement about "Microsoft Word has encountered a problem and needs to close," or it's a blank document. It's not what you were expecting.

Kevin Epstein: [00:13:40] Meanwhile, in the background, malware is being installed, thanks to your clicking on that document and starting the installation process. The ThreadKit kit is a kit for an attacker, think of it as a toolkit, where they enter certain choices, and the kit then produces as output this type of evil Word document, or evil attachment for email.

Dave Bittner: [00:14:12] Yeah, that's interesting. So you can choose from Column A, choose from column B, depending on what you're trying to set out to do with the people you're looking to victimize.

Kevin Epstein: [00:14:20] Exactly. And you don't need to write sophisticated computer code, you don't need to be a hardcore engineer. If you want to send people nasty malware, you can do it at the click of a button.

Dave Bittner: [00:14:37] There was an interesting thing that you all noticed, digging into some of the technical details. In October of 2017, you all discovered an interesting technique that this uses to locate a parent document to avoid hard-coding it. Can you dig into what exactly was going on here?

Kevin Epstein: [00:14:56] If you want to get malware on someone's computer, the hard way to do it is to pack it all into one big document. Think of showing up at someone's door, where you want to sneak something into their house. If you're carrying a suitcase, it's a lot easier to spot you, especially if the suitcase has the same writing on it all the time, on the side, in big red letters, you know, this is dangerous. All you need to do is train people, or in this case, antivirus programs, to look for that signature, and they'll stop it.

Kevin Epstein: [00:15:26] What the ThreadKit builders did was create, effectively, sort of a small briefcase with a callout that, in a very smart way, then figures out how to reach back outside, and grab the rest of the things it needs, and load them in by itself. Specifically, it can change the name of what it's looking for. So, again, if you're an antivirus program, it's more challenging to spot this happening, to find a so-called signature for the bad stuff being loaded.

Dave Bittner: [00:16:07] So, again, in terms of people protecting themselves against this sort of thing, is it really the standard looking out for rogue Microsoft Office documents?

Kevin Epstein: [00:16:18] Yes, and at the same time hardly that simple. So, on the one side, absolutely, if none of us ever opened email attachments, the relative infection rate would probably drop. But of course, as part of business, we send each other email with document attachments all the time. Part of it is social engineering. Again, if you receive something from someone where you were not expecting an attachment, or, if you open an attachment, and it does something unexpected, it claims that it encountered a problem, or it asks you to enable macros, or something like that, then you should be suitably suspicious and report it to IT immediately.

Kevin Epstein: [00:17:01] That said, because documents will be sent, because documents will be opened, it is also necessary to have, both on your local system, software that looks for suspicious behavior, and, outside of your system, software that is examining the network traffic to and from your computer, so that when/if you get infected by one of these things, and it tries to load more malware onto your system, that behavior can be observed and blocked.

Dave Bittner: [00:17:33] So, looking at the big picture, with these malware-as-a-service offerings, what do you think that this indicates? I mean, a couple of things strike me. First of all, that the bad guys, rather than doing the bad things themselves, are selling these kits to do the bad things. That's interesting. But then also, if you're, I guess, the cost of entry to be able to do these things has gone way down, because other people are willing to step up and do the technical work for you.

Kevin Epstein: [00:18:03] Absolutely correct. Make no mistake, cyber crime is a huge business. It is a sophisticated, multilevel, comparable to any major entity or entities around the world, business. They have supply chains. Just as a large company would depend on specialty manufacturers for certain elements, so do the attackers. There are folks who specialize in creating malware. There are folks who specializing in building kits. There are folks who specialize in the emailing of large volumes of email, folks who specialize in creating target lists of potential recipients, you name it.

Kevin Epstein: [00:18:46] Again, this is all about the money. If you want to know attack trends, just apply the same rules as you would to any business. Look for the best return on your investment. For instance, when ransomware emerged. it provided a very high return relative to other types of attacks. It was relatively simple malware to create, it did not require lots of targeting, and it was direct money from each recipient. As people grew better at blocking ransomware, and as people grew more cynical about paying the ransoms, not believing they would get their files back, the return on that investment dropped for attackers, and we saw a commensurate fall in ransomware, and increases in other forms of malware, such as cyber currency miners.

Kevin Epstein: [00:19:34] I would, again, simply, back to your comment about business, I would emphasize cybercrime is a business. If you can make it more expensive for the cyber criminal to successfully attack you, versus the next possible target, you will be reasonably successful in your defense. Just like living in a big city, it's not about making your apartment invulnerable, it's about making it harder to break into an easier target.

Dave Bittner: [00:20:04] Yeah, it's that old joke about if you and I are being chased by a bear, I don't have to outrun the bear, I just have outrun you.

Kevin Epstein: [00:20:10] The bear theory, unfortunately, applies to the world of security, it is true.

Dave Bittner: [00:20:18] Our thanks to Kevin Epstein from Proofpoint for joining us. You can learn more about BlackTDS and ThreadKit on the Proofpoint website. It's in their blog section.

Dave Bittner: [00:20:28] Thanks to the Hewlett Foundation's Cyber Initiative for sponsoring our show. You can learn more about them at

Dave Bittner: [00:20:37] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at

Dave Bittner: [00:20:45] The CyberWire Research Saturday is proudly produced in Maryland, out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. It's produced by Pratt Street Media. The coordinating producer is Jennifer Eiben, editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.