kras99 - stock.adobe.com
Why the Keitaro TDS keeps causing security headaches
Keitaro insists it is on the side of the law, but threat actors continue to flock to the software company's traffic distribution system to redirect users to malicious domains.
A software company named Keitaro has long been labeled by cybersecurity vendors as a legitimate traffic distribution system vendor, yet the company's product is repeatedly used for malicious activity by cybercriminals.
In November 2022, Microsoft published a report about a threat actor it identified as DEV-0569 (now tracked as Storm-0569) that used innovative approaches to deliver malware payloads such as Royal ransomware, which has frequently targeted healthcare organizations as well as other industries. One such approach that Microsoft researchers discovered was a malvertising campaign that abused Google Ads.
DEV-0569's malicious ads pointed to "the legitimate traffic distribution system (TDS) Keitaro," which offers capabilities for customizable ad campaigns such as traffic tracking, as well as user- and device-based filtering, according to the blog post.
"Microsoft observed that the TDS redirects the user to a legitimate download site, or under certain conditions, to the malicious BATLOADER download site," the blog post said. "Using Keitaro, DEV-0569 can use traffic filtering provided by Keitaro to deliver their payloads to specified IP ranges and targets. This traffic filtering can also aid DEV-0569 in avoiding IP ranges of known security sandboxing solutions."
Despite being described as a legitimate TDS by Microsoft and other security vendors, Keitaro has been referenced in numerous threat reports from various cybersecurity vendors and researchers over the span of at least eight years -- including new reports in recent months.
Researchers say Keitaro is one of the most widely used TDSes in the threat landscape, with threat activity going beyond malvertising schemes and tech support scams that infect consumer devices. Numerous threat reports have documented complex threat campaigns with some of the most notorious ransomware, malware and exploit kits that have long plagued enterprises.
While those reports don't accuse Keitaro of direct culpability in any malicious activity, a yearlong investigation into the company by TechTarget Editorial raises questions about Keitaro's operations and its efforts to restrict abuse of its software.
Keitaro's history
Keitaro is an Estonian company formed in 2009 by a developer named Artur Sabirov, who also founded marketing software vendor Apliteni three years earlier. At that time, the company was known as Keitaro Software Solutions and offered a suite called KeitaroTDS that it described as "a new functional and, for the first time, convenient tool for full control, management and analysis of your web traffic."
A TDS operates as a traffic management tool that redirects users from one website to another. TDSes are sometimes used to move web traffic to digital ad domains, but they've become notorious over the years in the infosec community as tools for cybercriminals to deliver malware or redirect unsuspecting users to malicious domains.
Some TDSes are deeply embroiled in malicious activity and advertised on dark web markets to cybercriminals. Examples include the Prometheus TDS and BlackTDS offerings, which are typically blocked by threat detection and firewall vendors.
But other TDS providers, like Keitaro, are considered legitimate companies by cybersecurity vendors -- despite repeated appearances in threat reports.
One of the first such reports was a 2016 blog post from Zscaler's ThreatLabZ that analyzed Keitaro's connection to the RIG exploit kit. While analyzing a large spike in activity from the exploit kit in January 2016, ThreatLabZ researchers discovered a connection to Keitaro's TDS. According to then-ThreatLabZ security researcher Ed Miles, who wrote the blog post, a Keitaro campaign was generating a significant amount of traffic to the domains of RIG and another exploit kit known as Nuclear.
More importantly, Miles said an analysis of Keitaro's platform revealed some concerning elements, particularly features that appeared to be designed specifically for threat actors. For example, the TDS has an option to run antivirus software checks, which he said helps threat actors evade detection -- a feature first spotted by an anonymous security researcher known as "Kafeine." In addition, Keitaro support documentation offers guidance on how to break referrer chains, which hampers security researchers' ability to trace malicious activity on the TDS.
"It's clear that the flexibility in Keitaro's configuration options make it a powerful partner for the criminal operators of these and other exploit kits," Miles wrote.
Cybercriminal abuse of digital advertising platforms and tools like TDSes are unfortunately common. However, threat analysts have noted that some ad tech companies will look the other way and even enable the abusers, who are paying customers for those companies.
Additional threat reports published in later years connected Keitaro with malicious activity and malvertising campaigns. In 2017, an anonymous security researcher known as "Malware Breakdown" also observed Keitaro sending traffic to RIG, as well as another exploit kit known as Sundown, albeit with different indicators of compromise (IOCs) than what Zscaler researchers observed the year before. In a follow-up post two months later, the researcher observed Keitaro again sending traffic to RIG as well as tech support scam domains.
Proofpoint's 2019 Q3 Threat Report noted Keitaro was connected to a significant increase in web-based threats, specifically "millions of malvertising impressions and URL-based malicious messages" during that period. Once again, researchers observed the company's TDS redirecting unsuspecting users to exploit kits, including RIG, though Proofpoint called Keitaro a "legitimate service" that was being abused by threat actors.
Proofpoint's report also described why Keitaro's TDS was such a valuable tool for cybercriminals. "Because Keitaro also has many legitimate applications, it is frequently difficult or impossible to simply block traffic through the service without generating excessive false positives, although organizations can consider this in their own policies."
Miles told TechTarget Editorial that while he isn't sure how prevalent Keitaro abuse currently is, public threat intelligence showed malware has been "distributed extensively" through the TDS via recent malvertising and SEO poisoning activity.
"I'm obviously not a lawyer, so I can't really comment about culpability, but from my previous analysis it did seem like they know how threat actors are using their product and have made some choices to support them," he said. "However, looking at data shared by other researchers it's clear that Keitaro continues to be used quite a bit in delivering malware."
A history of misuse
Abuse of Keitaro's TDS continues, according to more recent threat reports from various security vendors and researchers. The reports share common elements; first, the TDS abuse usually involves redirection to known exploit kits. Second, the reports typically make no mention of any response or corrective actions taken by Keitaro regarding the abuse.
TechTarget Editorial first contacted Keitaro and its parent company Apliteni in November 2022 to ask whether Microsoft contacted them about the reported threat activity and if the company had addressed the abuse in any way. Hryhorii Babanskyi, head of Keitaro technical support and customer service, provided information via email about how Keitaro's "tracker" software functions as a self-hosted tool, but he did not directly address the questions.
"We as the owners and developers of the product are not responsible for malicious content promoted with the Keitaro tool. This is stated in the license agreement," Babanskyi said. "The license agreement also states that we prohibit the distribution of malware through Keitaro."
When asked if Keitaro has any means of suspending a customer account or software license if a customer is found to be abusing the TDS product, Ivan Rud, chief marketing officer at Keitaro, said those actions "should be handled by the cyber police."
"We are developers; our job is to improve the product for our users," Rud wrote. "If the cyber police come to us and make a request to block the license, we do it flawlessly. We are on the side of the law."
Rud explained that there is little Keitaro can do to prevent abuse of its product. He said if Microsoft or the "cyber police" provide an IP address connected to the DEV-0569 threat activity, Keitaro can check that address against license holders and revoke the software license; that license revocation, he later explained, prevents customers from accessing the administrator panel.
Rud added that "Russian hackers" cracked Keitaro's software and distributed pirated copies, which bypass the license validation for access to the admin panel for cybercriminals to use in spam and malware campaigns. To that end, Rud highlighted a website call NullSEO, a marketplace for SEO and digital marketing software tools. NullSEO has several listings for various editions and versions of Keitaro TDS, as do other forums that traffic in cracked or "nulled" software.
Rud also said Keitaro is not a TDS and objected to its product being referred to as such. He asserted that its product is an advertising tracker with a flow distribution functionality used for A/B tests, de-emphasizing its TDS functionalities. A/B or split testing in digital advertising and marketing refers to the practice of presenting two versions of the same website or ad to see which one performs better with user responses.
TechTarget Editorial also inquired about the antivirus checks and sandbox detections in Keitaro's product, as described in Zscaler's report, but Rud emphatically denied such options existed.
However, a 2016 Tweet and screenshot from Kafeine clearly shows the interface of Keitaro software demo with an option for antivirus check services Viruscheckmate and AVscan.
Oh, nice ! KeitaroTDS has added an "AV Check Service" feature. Hum, wait...who would need this ? Line crossed ;-) pic.twitter.com/3cMme1EjAt
— Kafeine (@kafeine) January 23, 2016
Rud offered explanations.
"The keyword here is DEMO. This is just a demonstration of the interface of what could potentially be in the tracker," he wrote. "One of the developers wanted to add this functionality, but we stopped it since this is not our vector of development. Later on, we fired him altogether. We work on the side of the law."
Rud expressed frustration with the inquiries about the 2016 screenshots and said Microsoft has not contacted the company about the problem.
"How do the screenshots of 2016 relate to the current situation? I don't quite understand," he wrote. "Microsoft has not contacted us about this problem. We heard about it from you. You seem to care about it more than they do. It's just not clear why.
"Instead of figuring out how our product works, you're trying to find at least something to blame us for. Do you need to make a drama?"
Red flags
While Keitaro denied any wrongdoing or failures with the DEV-0569 campaign or any other reported malicious activity, an examination of the company revealed a pattern of red flags.
Though Rud said the antivirus check option was a demo feature that never made it into the final production, Keitaro's own website shows otherwise. For example, Proofpoint's 2019 Q3 Threat Report highlighted Keitaro's ability to check for sandbox environments. "Keitaro can be used to detect potential markers of research environments and sandboxes, redirecting browsers seamlessly to legitimate sites and thwarting automated detection of malicious redirection," it read.
TechTarget Editorial asked about the inconsistencies and inquired about the fired developer that he claimed added this functionality.
Rud asserted that Keitaro's TDS had no such functionality but explained that services like AVscan allow legitimate clients to determine if their advertisements are being incorrectly flagged by certain antivirus programs and avoid serving ads to systems that have those programs installed.
"An AV check could help customers receive notifications that their site is being blocked by an antivirus, which means they lose traffic, and not all users see their site," he wrote.
A Keitaro blog post in 2014 from Sabirov describes, according to Google Translate, updates for version 6.2 of the software that include "the integration of two useful services," one of which is Viruscheckmate. Another blog post from 2016 attributed to "Support" details updates for version 7.3, which includes a "Fixed bug with Viruscheckmate."
When asked about the blog posts, Rud acknowledged that Viruscheckmate and AVScan "were indeed part of earlier product versions," though he said the features were eventually discontinued. "I don't know the details, but it seems it was due to reputational risks, as the services began to be used by malicious actors to check their code," he wrote.
Threat researchers said the Keitaro TDS continued observing such functionality. Sherrod DeGrippo, formerly vice president of threat research and detection at Proofpoint, said that at the time of the 2019 threat report, researchers confirmed the existence of the antivirus and sandbox checks in the Keitaro TDS.
However, she agreed that such antivirus checks could be used for legitimate purposes such as determining if an advertiser's content is being blocked by certain programs. She also said that businesses generally try to collect as much information from end users as possible, including any antivirus, sandbox or virtual technology they may be using.
DeGrippo said Proofpoint researchers in 2019 reported the malicious activity to both Keitaro and upstream advertising companies that were serving the malicious ads. "In both cases the companies appeared responsive to the provided evidence, but Proofpoint did not observe a related decrease or cessation of the threat activity," she said.
In fact, Proofpoint has seen the opposite in recent years. DeGrippo said threat activity appeared to expand, as at least five distinct threat groups the vendor tracks have made "regular use" of Keitaro with dozens of campaigns. "Throughout 2022 it has been used by a group we track as TA578 to deliver Bumblebee loader, which in turn dropped IcedID, a botnet known to lead to high-profile ransomware deployments," DeGrippo said.
IcedID activity, which continued in 2023, was also observed in a malvertising campaign on Google AdSense by other security vendors, including Trend Micro and Sophos. Paul Jaramillo, director of threat hunting and intelligence at Sophos, presented research about the malvertising activity with Sophos threat analyst Colin Cowie during the FIRST Technical Colloquia and Symposia in Amsterdam in April 2023.
Paul JaramilloDirector of threat hunting and intelligence, Sophos
Jaramillo said it was the first time they had observed the notorious malware being delivered through a malvertising campaign, which he called effective. The attackers appeared to target IT support personnel and administrators by presenting malicious ads for remote management and communication tools like Cisco Webex, Microsoft Teams and others.
While there was no evidence that Keitaro had knowledge of the IcedID campaign, Jaramillo said the TDS has been used by multiple threat groups for many years. Delivery-as-a-service groups have flocked to the TDS not just because of its ability to precisely target users based on geographic location, security protections and other technical specs, but also because of the "elements of ambiguity" that Keitaro provides as a commercial entity.
"Keitaro is a very popular choice for e-crime operators because it's widely available, it's feature-rich and it offers ambiguity," he said. "Where other black-market [TDS] options come and go, Keitaro is an actively developed commercial product. It's also used for legitimate business, and that requires you to do some analysis before a hosting provider or law enforcement can take it down."
Keitaro partners with several digital ad tech companies that have been embroiled in malicious activity for years, including Adsterra and PropellerAds. Those two companies were implicated in an extensive malvertising campaign in 2019, dubbed Master134 by researchers at Check Point Software Technologies.
While Adsterra denied any wrongdoing in the Master 134 campaign and said it suspended all accounts associated with the activity, the company was still connecting to the malicious IP address behind the campaign six months after Check Point's report.
Check Point researchers classified Adsterra as a repeat offender in the malvertising threat landscape, whose leadership either chooses to ignore signs of abuse or tacitly allows malicious activity on its platform. Like Keitaro, Adsterra is typically considered a legitimate commercial entity.
Continued malicious activity
Following Microsoft's DEV-0569 report and the IcedID campaigns, threat activity on Keitaro continued in 2023. In the spring, members of ThreatCat.ch, a collective of threat analysts and incident response experts, detected extensive activity connected to SocGholish malware.
An anonymous ThreatCat.ch member known as "Miau" told TechTarget Editorial the group observed the threat actor moving the TDS infrastructure to different domains and IP addresses from time to time to evade detection. They also observed the TDS sending U.S. users from compromised websites directly to SocGholish domains while European users were redirected to tech support scam pages.
Miau said ThreatCat.ch was unfamiliar with Keitaro and had only recently started tracking activity around its TDS. Given the volume of malicious activity they observed, the researchers at first assumed Keitaro was a black market tool like Prometheus and BlackTDS.
"We weren't even aware that Keitaro was claiming to be at least semi-legit," Miau said, adding that it is possible the company is legitimate and the TDS was simply being abused on a wide scale by cybercriminals.
Proofpoint observed more threat activity in 2023. In October, the vendor published a threat on fake browser updates that analyzed three distinct campaigns using the Keitaro TDS. The first campaign featured SocGholish activity from an initial access broker Proofpoint tracks as TA569, in which the TDS redirects users from series of compromised stage 1 domains to actor-controlled stage 2 domains where the fake browser update notifications are delivered, leading to malware infections. The other two campaigns, tracked as "RogueRaticate" and "ClearFake," featured similar filtering and redirections through the TDS.
Selena Larson, senior threat intelligence analyst at Proofpoint, said the company observed an increase in fake update activity clusters using Keitaro during the second half of 2023 to redirect potential victims and "essentially make sure they're only infecting the people they want to infect" while avoiding bots, sandboxes and security researchers.
TechTarget Editorial contacted Rud about the October report from Proofpoint and asked if the IP addresses contained in the IOCs were associated with Keitaro customers. "Unfortunately, it turns out that the party in question is indeed our client," he said.
Rud claimed the servers cited in the Proofpoint report had been previously decommissioned and that Keitaro's internal investigation traced the client's activity to several accounts. "As a result, we've initiated the process of blocking this client and all his servers, revoking their license and cutting off access to our product," he said.
In addition, Rud explained that Keitaro was developing a cloud version of its platform and that "such misuse scenarios will be fully preventable" once the company transitions to that version.
TechTarget Editorial sent Rud additional IOCs from other threat reports, including an IP address cited by ThreatCat.ch, but he claimed these were not associated with any current or former Keitaro clients.
In yet another report published by Proofpoint on Dec. 21, the cybersecurity vendor observed broader threat activity connected to the Keitaro TDS. This time, phishing campaigns sent "tens of thousands of emails targeting dozens of industries" in the U.S. and Canada in attack chains that used 404 TDS and Keitaro to eventually deliver DarkGate malware. Larson, who co-authored the December report, said Keitaro is one of the most frequently abused TDSes it has tracked, along with 404 TDS, which is not a commercially available product.
The 'VexTrio' cybercriminal ecosystem
Perhaps the most alarming research is a January 2024 report from Infoblox, a networking and cybersecurity vendor that detailed a massive cybercrime operation called "VexTrio." According to the report, VexTrio is the single largest malicious traffic broker in the threat landscape, with more than 70,000 malicious domains and 60-plus affiliate partners, including the threat actors behind SocGholish and ClearFake malware.
Infoblox found the VexTrio operation uses an array of TDSes to route users and compromised website traffic to malware, tech support scams, fake updates, phishing links and other threats. The TDSes are primarily black market, threat actor-controlled tools such as Parrot and VexTrio's own TDSes, though the report cited one commercial product: Keitaro.
The report detailed how VexTrio partners SocGholish and ClearFake used Keitaro to redirect victims to VexTrio's TDSes. Renée Burton, head of threat intelligence at Infoblox, said the research team found no evidence to suggest Keitaro was a VexTrio partner and actively supporting the cybercrime operation. However, she noted several concerns about the company.
First, she said many of Keitaro's features "facilitate threat activities," including the TDS' powerful filtering options based on not only device type, IP address and region but also connection types, languages and whether proxies are being used. "This can allow the bad actors to utilize a wide range of downstream actors to maximize the profits of a compromised server," she said.
The researchers were also able to trigger redirects by sending queries to servers running the Keitaro TDS through virtual machines, which indicates the product performed sandbox checks. However, Burton said it's unclear if the antivirus checks were still functional.
Lastly, Burton highlighted several connections that she said were common in cybercrime. "Keitaro and the threat actors that use Keitaro have strong ties to Russia," she said. "Keitaro's previous website, keitarotds[.]com, was using Russian nameservers for over a decade; its new site, keitaro[.]io, now uses CloudFlare. The only other supported language on Keitaro's website is Russian."
In addition, the malware authors and distributors of the RIG and Nuclear exploits kits are based in Russia, while SocGholish is connected to the notorious Russian cybercrime gang known as Evil Corp. Burton also noted the TDS was used in Russian influence operation in 2022 that targeted audiences in the U.S., Ukraine and Germany.
Keitaro insists it is doing everything it can to curb abuse. But the breadth of malicious activity tied to the company's TDS has given some cybersecurity vendors pause.
Renée BurtonHead of threat intelligence, Infoblox
Given the long track record of malicious activity using Keitaro and repeated abuses by known cybercrime groups, Burton said, "It is fair to say that Keitaro does not have robust measures in place to detect and mitigate cybercriminal activity using their services."
It's possible much of the malicious activity stems from cracked versions of the software, though it's difficult to tell. Rud said he is "almost sure" that DEV-0569's threat activity stemmed from a cracked copy of Keitaro's product. "We have repeatedly appealed to local authorities to stop the spread of this product, but no one cares about it on their side," he said.
Burton said Infoblox researchers saw no evidence in the VexTrio activity that the Keitaro software had been tampered with or modified. In fact, based on the artifacts collected during the research, Infoblox determined some of the threat actors, including ClearFake, used a premium version of the software, rather than the 14-day free trial version.
Similarly, Jaramillo said there's no evidence of cracked versions in the network traffic Sophos observed in the IcedID campaign, which typically shows Nginx or OpenResty servers running the software. But he emphasized that threat analysts don't have any visibility into the licensing aspect of the product.
"I don't have any data or insight into how they run their business -- so as far as I know, they are a legitimate software provider that sells a product," he said. "And you can assume with that, there's a certain amount of indifference to how it's being used."
Currently, none of the major antimalware or threat detection vendors proactively block Keitaro by default, as is the case for BlackTDS, Prometheus, 404 and others.
In fact, Keitaro's rise in popularity among threat actors stems in large part to the fact that its TDS activity isn't flagged as malicious, Jaramillo said, and as long as that's the case, threat activity will likely continue. If given the option between a frequently blocked, black market TDS and a legitimate commercial TDS, cybercriminals will make the obvious choice.
"If the costs are similar, and you have the element of ambiguity, why wouldn't you use the one that's legitimate?" he said.
Rob Wright is a longtime reporter and senior news director for TechTarget Editorial's security team. He drives breaking infosec news and trends coverage. Have a tip? Email him.