Security experts found a new traffic direction system (TDS) dubbed Parrot that hinges on servers hosting over 16,500 websites of local governments, personal blogs, universities, and adult content. The Parrot TDS are utilised for campaigns involving the redirection of victims that matches a specific profile towards phishing and malware-infected websites.
Hackers buy TDS services over dark web marketplaces to run a malicious campaign that filters incoming traffic and sends them to a destination where they could get infected by a malicious payload. Advertisers and marketers also take advantage of TDS, wherein some cases include exploiting the services to perform malspam campaigns.
Cybersecurity analysts discovered the new Parrot TDS in a campaign called FakeUpdate that distributes RATs through fake browser update notifications.
There have been traces of the Parrot TDS as far back as October last year; however, experts only noticed its campaign in February of this year.
Based on a report, the Parrot TDS is more widespread than other TDS, considering the number of victims impacted by it. Furthermore, the impacted websites appear to have poor hosting security by their respective hosting providers, such as WordPress sites.
The operators of the TDS plant malicious web shells inside the compromised servers and copy them to distinct locations with similar names, following a ‘parrot’ pattern. They also use a PHP backdoor script that exfiltrates client data and redirects the requests to the C2 server of the Parrot TDS, although some cases do not require the PHP script, forwarding the requests to the infrastructure directly.
The most targeted countries in this new TDS campaign include the US, India, Indonesia, Brazil, and Singapore. The campaign is also highly efficient since it can target specific individuals out of thousands of potential victims by sending them to unique malware-dropping links formed on vast network profiling, hardware, and software.
Aside from the RAT campaign operation of the new Parrot TDS, experts also found many infected servers that host phishing sites. Some of these pages copy the Microsoft login page to request the users’ account credentials which can be used for further attack operations.
Experts recommend that browser users apply updated internet security solutions every time they go online to get protected from the threats posed by this new TDS campaign.
