Full Report
A topological analysis and case studies add nuance to a study of malicious traffic distribution systems. We compare their use by attackers to benign systems. The post Beneath the Surface: Detecting and Blocking Hidden Malicious Traffic Distribution Systems appeared first on Unit 42.
Analysis Summary
# Tool/Technique: Malicious Traffic Distribution Systems (TDS) Infrastructure
## Overview
Traffic Distribution Systems (TDS) are exploited services used to manage and obfuscate large volumes of illicit network traffic, commonly associated with phishing campaigns, malvertising, and online gambling. A TDS acts as a central routing mechanism to redirect victims through a complex, often multi-layered network of servers, making it difficult to trace the final malicious destination and evade detection.
## Technical Details
- Type: Infrastructure/Technique
- Platform: Network Infrastructure (Servers, DNS resolution)
- Capabilities: Redirecting network traffic, obfuscating final destinations, managing multiple malicious endpoints simultaneously.
- First Seen: Not specified in the context, but concept has existed for a long period.
## MITRE ATT&CK Mapping
*Note: Since TDS is infrastructure used for redirection, the primary mappings relate to Command and Control or Initial Access.*
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.004 - DNS
- *The use of TDS inherently involves manipulating DNS resolution and redirection.*
## Functionality
### Core Capabilities
- Centralized traffic management and distribution.
- Redirection of victim traffic through intermediate servers ("often complex network of servers").
- Obfuscation of the true destination of the malicious payload or service.
### Advanced Features
- Management of multiple malicious endpoints concurrently.
- Exhibits distinct topological characteristics (more URLs and higher connection volume) compared to benign redirection networks, allowing for machine learning-based detection.
## Indicators of Compromise
- File Hashes: N/A (Infrastructure focus)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: High volume of sequential or cascading redirects involving multiple URLs; high connection density observed in topological analysis.
- Behavioral Indicators: Sudden, unexpected redirection chains originating from seemingly legitimate-looking initial links.
## Associated Threat Actors
- Threat actors running large-scale illicit operations such as phishing, malvertising, and online gambling services.
## Detection Methods
- **Signature-based detection:** Using known malicious URLs or IPs associated with the redirect chain.
- **Behavioral detection:** Employing machine learning models trained on topological features (high URL count, high connection density) characteristic of malicious TDS networks.
- **YARA rules:** N/A
## Mitigation Strategies
- Implementing advanced DNS security solutions to monitor and scan DNS resolution traffic for suspicious patterns.
- Utilizing advanced URL filtering services to block access to known malicious redirectors or domains composing the TDS infrastructure.
- Analyzing network flow topology to identify overly complex or unusually dense redirection paths.
## Related Tools/Techniques
- Malvertising Networks
- Phishing Kits
- Fast Flux DNS techniques (as a related obfuscation method)