The Massive, Hidden Infrastructure Enabling Big Game Hunting at Scale

Coming across highly targeted advertisements online is a common experience for many US consumers. One way advertisers achieve this is by using traffic distribution systems (TDSs), which collect information about potential customers to direct them to highly targeted ads. Using data from the user’s browser, geolocation, and behavior, a TDS makes rapid decisions on directing traffic to get the most from ad spend. However, cybercriminals also use this infrastructure to deliver highly targeted malware to victims who are most likely to click their links. Malicious TDSs work in much the same way as legitimate TDSs, except they direct victims to the most effective malware instead of the most effective advertisement. Additionally, these TDSs provide a defensive measure to ensure the malware is not delivered to researchers or sandboxes that could analyze the code.

Insikt Group has been tracking how cybercriminals use these tools and identified infrastructure linked to a highly active malicious TDS dubbed TAG-124. TAG-124 allows ransomware operators and other cybercriminals to maximize their chances of infecting their intended victims with their respective payloads. At least two ransomware groups have been observed using TAG-124 to infect victims in health care and other critical infrastructure, demonstrating the value of traffic distribution for “big game hunting” (targeting companies perceived as likely to pay out high extortion demands). While shared infrastructure like TAG-124 helps cybercriminals improve their efficiency and effectiveness, understanding TAG-124 infrastructure can help defenders block or even disable activity from multiple cyber threat actors simultaneously before compromise occurs.

Figure 1: Multiple threat actors use TAG-124 to direct victims to their malware (Source: Recorded Future)

Multiple Threat Actors Use TAG-124 Infrastructure

Insikt Group has observed multiple threat actors using this malicious TDS, including:

• Rhysida Ransomware: A sophisticated ransomware-as-a-service operation notable for extorting healthcare organizations and other critical infrastructure. In 2023, the group claimed responsibility for an attack on Prospect Medical Holdings, which resulted in the theft of over 500,000 social security numbers and impacted operations at seventeen hospitals and 166 clinics.
• Interlock Ransomware: Another ransomware group targeting primarily healthcare organizations and other “big game” to extort higher payouts through high-impact attacks on large organizations. In December 2024, the group claimed credit for an attack on the Texas Tech University Health Sciences Center, stealing 2.6 TB of sensitive personal data. Interlock shares many similarities with Rhysida, such as tactics, tools, and encryption behaviors, though the exact relationship between the two is unknown.
• TA866 / Asylum Ambuscade: This cybercrime group engages in financial targeting and cyber espionage very likely on behalf of the Russian government. The group has targeted bank customers and cryptocurrency traders across North America and Europe and carried out espionage against government entities in Europe, Central Asia, and other areas.

TAG-124 has also been associated with SocGholish and D3F@ck loader malware, which provide remote access and malware delivery for financially motivated activity. While Insikt Group does not know which criteria TAG-124 uses to filter and direct malicious content, its use of search engine optimization (SEO) poisoning and infecting legitimate sites allows for an enormous number of potential victims. By outsourcing initial infection to TAG-124, groups like Rhysida and Interlock can pursue “big game hunting” by specializing in techniques implemented during a later stage in the infection kill chain. These special techniques enable more effective extortion campaigns.

Risk Outlook

Successful big game hunting that results in large payouts allows sophisticated syndicates like Rhysida and Interlock to invest back into services that make their work more effective. This drives the increased specialization of groups like TAG-124, creating a virtuous cycle of cybercrime. As a result, businesses face an increasing risk of high-impact ransomware attacks and espionage-driven data theft: the links between TAG-124 and Asylum Ambuscade suggest that state-sponsored threat actors are also taking advantage of these services in addition to profit-motivated actors.

Defending against TAG-124 may be challenging due to its early role in the cyberattack life cycle, but missing intrusions early on can still have negative consequences for companies. For example, one of Rhysida’s latest victims, Sunflower Medical, is facing a class action lawsuit because of its failure to implement security measures that would have detected the breach early in the infection cycle. According to the company, the intrusion was not discovered for three weeks following the initial breach. While it is unknown whether TAG-124 was used for this intrusion, the legal consequences demonstrate the significant risks of missing early signs of a breach.

Mitigations

TAG-124 is not the only TDS operating on behalf of threat actors. Other notable examples include VexTrio, Prometheus TDS, and BlackTDS, all of which offer competing malware delivery capabilities. Operators of these systems enable the increasing effectiveness of many different threat actors — primarily criminal, though occasionally state-sponsored — by providing professional infrastructure that adopts legitimate content delivery techniques for criminal use. However, identifying indicators of malicious TDS can help defenders detect and block multiple threat actors early in the attack kill chain.

Insikt Group recommends the following measures:

• Advanced threat detection: In addition to blocking known indicators, use host- and log-based detections, such as YARA, Snort, and Sigma rules found in Recorded Future’s Intelligence Cloud, for custom file scanning and detection. These detections can help identify unwanted tools or other suspicious activity.
• User education: Educate users on the risks of SEO poisoning and urge caution when browsing. In particular, urge caution against unprompted downloads for Google Chrome updates and other indicators associated with TAG-124 infrastructure.
• Secure browser setting: Enable automatic browser updates and blocking pop-ups to reduce exposure to malicious update prompts.

For more information on TAG-124 and other emerging threats in malware, check out Insikt Group’s 2024 Malicious Infrastructure Report.