A new traffic directing system (TDS) called Parrot has been spotted leveraging tens of thousands of compromised websites to launch new malicious campaigns.
“TDS infected various web servers hosting more than 16,500 websites, ranging from adult content sites, personal websites, university sites and local government sites,” said Avast researchers Pavel Novák and Jan Rubín in a report published last week.
Traffic direction systems are used by threat actors to determine whether or not a target is of interest and should be redirected to a malicious domain under their control and act as a gateway to compromise their systems with malware.
Earlier in January, BlackBerry’s Research and Intelligence team detailed another TDS called Prometheus which was used in different campaigns mounted by cybercriminal groups to distribute Campo Loader, Hancitor, IcedID, QBot, Buer Loader malware and SocGholish.
What sets Parrot TDS apart is its enormous reach, with increased activity seen in February and March 2022, as its operators primarily targeted servers hosting poorly secured WordPress sites to gain admin access.
Most of the users targeted by these malicious redirects are located in Brazil, India, USA, Singapore, Indonesia, Argentina, France, Mexico, Pakistan and Russia.
Parrot TDS, via an injected PHP script hosted on the compromised server, is designed to extract client information and forward the request to the command and control (C2) server when visiting one of the infected sites, in addition to allow the attacker to execute arbitrary code on the server.
Calling the criminal actors behind the FakeUpdate campaign a prominent Parrot TDS client, Avast said the attacks involved tricking users into downloading malware under the guise of malicious browser updates, an access trojan remote named “ctfmon.exe” which gives the attacker full access to the host.