IS Specialists Discovered Thousands of Sites Related to Parrot TDS

Sucuri experts found that the spread of Parrot TDS (Traffic Direction System) sites turned out to be much larger than previously thought – for example, the researchers write that the infection affected at least 61,000 sites.

Let me remind you that for the first time Parrot TDS (Traffic Direction System) was described in detail by Avast specialists in the spring of 2022. At the time, it was reported that Parrot relies on hacked servers hosting 16,500 university, municipal government, adult content and personal blogs.

Let me remind you that we also wrote, for example, that Onyx Malware Destroys Large Files Instead of Encrypting Them, and also that Experts Found More Than 3.6 million Unprotected MySQL Servers.

As in other similar cases, Parrot is used for malicious campaigns, in which potential victims that match a certain profile (location, language, operating system, browser features are taken into account) are redirected to fraudulent resources, such as phishing sites and sites with malware. Essentially, attackers buy TDS services to filter incoming traffic and redirect victims to their desired destination with malicious content.

Sucuri analysts, who have been tracking this threat since 2019 under the name ndsw/ndsx, now say that more than 61,000 sites were affected by the infection in 2021.

The NDSW malware campaign is extremely successful because it uses a universal exploitation toolkit that is constantly updated with new discovered vulnerabilities and 0-day. Once an attacker has gained unauthorized access to the environment, he adds various backdoors and CMS administrator users to maintain access to the compromised site long after the original vulnerability is closed.the experts write.

Analysts write that attackers add a piece of malicious code to all JavaScript files on compromised servers hosting popular CMSs (such as WordPress). It is noted that in this case, the embedded JavaScript is carefully masked so that it does not look suspicious to a random person.

sites with Parrot TDS

Such JavaScript should launch the second phase of the attack, which consists in executing a PHP script that is already deployed on the server and is designed to collect information about the site visitor (for example, IP address, referrer, browser, and so on) and transfer data to a remote server.

The third stage of the attack is the JavaScript code that comes from the server and acts like a TDS, i.e. determines the exact payload to deliver to a specific user based on the information collected during the previous stage.

After TDS verifies that the visitor meets the specific requirements, the NDSX script downloads the final payload from the third-party site.the researchers write.

It is noted that the malware most commonly used for the third stage of the attack is the FakeUpdates JavaScript loader (aka SocGholish).

A company report states that in 2021 alone, Sucuri removed Parrot TDS from 20 million JavaScript files found on infected sites. And in the first five months of 2022, more than 2,900 PHP files and 1.64 million JavaScript files were found containing this malware.

Leave a Comment

About William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several months after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master's degree in cybersecurity, I've started working as a virus analyst in a little anti-malware vendor.