A new traffic-driven system (TDS) called Parrot has been discovered using tens of thousands of compromised websites to launch further malicious campaigns.
Avast researchers Pavel Novák and Jan Rubín said: “TDS infected various web servers hosting more than 16,500 websites, ranging from adult content sites, personal websites, school sites universities and local government websites”.
Traffic-oriented systems are used by threat actors to determine if a target is of interest and should be redirected to the malicious domain under their control and act as a gateway to invasion. enter their system with software toxic.
Earlier this January, BlackBerry’s Intelligence and Research Team detailed another TDS called Prometheus that has been put to use in various campaigns mounted by cybercrime groups to distribute software. Malicious Campo Loader, Hancitor, IcedID, QBot, Buer Loader and SocGholish.
What makes Parrot TDS stand out is its vast reach, with increased activity observed in February and March 2022, as its operators mainly single out the servers that host the server. hosting poorly secured WordPress sites to gain admin access.
Most of the users targeted by these malicious redirects are in Brazil, India, USA, Singapore, Indonesia, Argentina, France, Mexico, Pakistan and Russia.
Parrot TDS, via a script PHP injected is hosted on a compromised server, designed to extract client information and forward requests to a command and control (C2) server when accessing one of the infected sites, in addition to allowing an attacker to execute arbitrary code on the server.
Calling the criminals behind the FakeUpdate campaign a common client of Parrot TDS, Avast said the attacks involved pushing users to download malware under the guise of fake browser updates, a remote access trojan named “ctfmon.exe” that gives the attacker full access to the server.