A new traffic direction system (TDS) known as Parrot has been discovered, which is leveraging tens of thousands of compromised websites to launch further malicious campaigns.
"The TDS has infected various web servers hosting more than 16,500 websites, ranging from adult content sites to personal websites, university websites, and local government websites," Avast researchers Pavel Novák and Jan Rubin wrote in a report published last week.
Traffic direction systems are used by threat actors to determine whether or not a target is of interest and should be redirected to a malicious domain under their control, which can then be used to infect their systems with malware.
Earlier this month, the BlackBerry Research and Intelligence Team published a report on another TDS known as Prometheus, which has been used in various campaigns mounted by cybercriminal groups to distribute malware such as Campo Loader, Hancitor, IcedID, QBot, Buer Loader, and SocGholish.
What distinguishes Parrot TDS is its broad reach, with increased activity observed in February and March 2022, as its operators have targeted servers hosting poorly secured WordPress sites in order to gain administrator access.
The majority of the users targeted by these malicious redirects are located in Brazil, India, the United States, Singapore, Indonesia, Argentina, France, Mexico, Pakistan, and Russia.
"The appearances of the infected sites are altered by a campaign known as FakeUpdate (also known as SocGholish), which uses JavaScript to display fake notices to users advising them to update their browser and offering them a download link for an update file," the researchers wrote. "The file that was observed being delivered to victims is a remote access tool."
When a user visits one of the infected websites, the Parrot TDS malware, which is delivered via an injected PHP script hosted on the compromised server, is designed to extract client information and forward the request to the command-and-control (C2) server, as well as allowing the attacker to execute arbitrary code on the server.
The response from the C2 server is in the form of JavaScript code, which is executed on the client machine, exposing the victims to potential new threats. In addition to the malicious backdoor PHP script, a web shell was discovered, which provides the adversary with persistent remote access to the web server.
Avast said the criminals behind the FakeUpdate campaign were a frequent customer of Parrot TDS, and that the attacks involved prompting users to download malware under the guise of rogue browser updates, a remote access trojan named "ctfmon.exe," which gives the attacker full access to the host.
Post a Comment
Your suggestions and comments are welcome