A software company named Keitaro has long been labeled by cybersecurity vendors as a legitimate traffic distribution system vendor, yet the company's product is repeatedly used for malicious activity by cybercriminals.
Despite being described as a legitimate TDS by Microsoft and other security vendors, Keitaro has been referenced in numerous threat reports from various cybersecurity vendors and researchers over the span of at least eight years - including new reports in recent months.
Researchers say Keitaro is one of the most widely used TDSes in the threat landscape, with threat activity going beyond malvertising schemes and tech support scams that infect consumer devices.
While analyzing a large spike in activity from the exploit kit in January 2016, ThreatLabZ researchers discovered a connection to Keitaro's TDS. According to then-ThreatLabZ security researcher Ed Miles, who wrote the blog post, a Keitaro campaign was generating a significant amount of traffic to the domains of RIG and another exploit kit known as Nuclear.
Additional threat reports published in later years connected Keitaro with malicious activity and malvertising campaigns.
Abuse of Keitaro's TDS continues, according to more recent threat reports from various security vendors and researchers.
TechTarget Editorial first contacted Keitaro and its parent company Apliteni in November 2022 to ask whether Microsoft contacted them about the reported threat activity and if the company had addressed the abuse in any way.
Rud also said Keitaro is not a TDS and objected to its product being referred to as such.
Threat researchers said the Keitaro TDS continued observing such functionality.
Sherrod DeGrippo, formerly vice president of threat research and detection at Proofpoint, said that at the time of the 2019 threat report, researchers confirmed the existence of the antivirus and sandbox checks in the Keitaro TDS. However, she agreed that such antivirus checks could be used for legitimate purposes such as determining if an advertiser's content is being blocked by certain programs.
While there was no evidence that Keitaro had knowledge of the IcedID campaign, Jaramillo said the TDS has been used by multiple threat groups for many years.
Following Microsoft's DEV-0569 report and the IcedID campaigns, threat activity on Keitaro continued in 2023.
In October, the vendor published a threat on fake browser updates that analyzed three distinct campaigns using the Keitaro TDS. The first campaign featured SocGholish activity from an initial access broker Proofpoint tracks as TA569, in which the TDS redirects users from series of compromised stage 1 domains to actor-controlled stage 2 domains where the fake browser update notifications are delivered, leading to malware infections.
Larson, who co-authored the December report, said Keitaro is one of the most frequently abused TDSes it has tracked, along with 404 TDS, which is not a commercially available product.
The TDSes are primarily black market, threat actor-controlled tools such as Parrot and VexTrio's own TDSes, though the report cited one commercial product: Keitaro.
Renée Burton, head of threat intelligence at Infoblox, said the research team found no evidence to suggest Keitaro was a VexTrio partner and actively supporting the cybercrime operation.
The researchers were also able to trigger redirects by sending queries to servers running the Keitaro TDS through virtual machines, which indicates the product performed sandbox checks.
Burton said Infoblox researchers saw no evidence in the VexTrio activity that the Keitaro software had been tampered with or modified.
Currently, none of the major antimalware or threat detection vendors proactively block Keitaro by default, as is the case for BlackTDS, Prometheus, 404 and others.
Keitaro's rise in popularity among threat actors stems in large part to the fact that its TDS activity isn't flagged as malicious, Jaramillo said, and as long as that's the case, threat activity will likely continue.
This Cyber News was published on www.techtarget.com. Publication date: Tue, 09 Apr 2024 14:43:05 +0000