Unit 42 Unmasks Parrot TDS: A Persistent Cyber Threat Evolves
Cybersecurity researchers from Jamf Threat Labs have analyzed over 10,000 scripts utilized by the Parrot Traffic Direction System (TDS) and unearthed significant advancements in the optimization of these scripts. These enhancements render the malicious code more elusive to security systems, thereby increasing its potency.
The Parrot TDS, initially detected by Avast in April 2022 and believed to have been active since 2019, aims to compromise WordPress and Joomla sites through JavaScript code that redirects users to malicious resources.
According to Avast’s 2022 data, the Parrot system infected no fewer than 16,500 websites, highlighting the operation’s extensive scale. Parrot operators sell this traffic to malefactors who use it for profiling visitors of infected sites and redirecting them to phishing pages or malware-distributing resources.
Palo Alto Networks’ Unit 42 team, in their recent report, indicates that Parrot TDS remains active, with its operators continually refining techniques to complicate the detection and removal of JavaScript injections. The examination of 10,000 Parrot scripts, collected from August 2019 to October 2023, revealed four iterations of system development, showcasing progress in obfuscation methods.
Parrot’s malicious scripts assist in user profiling and coerce the victim’s browser to download malevolent scripts from the attacker’s server, facilitating redirection.
According to Unit 42, the majority of infections in the analyzed sample have transitioned to the newest script version. Notably, the fourth version incorporates enhancements such as complex code structure, various methods of array indexing, and string processing, significantly complicating signature-based detection and recognition.
Despite additional obfuscation layers and alterations in code structure, the primary functionality of version 4 remains unchanged—profiling the victim’s environment and initiating the download of a malicious script.
Furthermore, Unit 42 discovered nine variants of loader scripts responsible for redirecting users. In 70% of cases, version 2 is used without obfuscation. Versions 4-5 introduced obfuscation layers, which became more complex in versions 6-9, although these versions are infrequently encountered on compromised sites.
Parrot TDS continues to be an active and evolving threat. Website owners are advised to inspect servers for suspicious PHP files, scan for the keywords ndsj, ndsw, and ndsx, employ firewalls to block web shell traffic, and use filtering tools to block known malicious URLs and IP addresses.