Hacked websites are at even greater risk from malicious web redirect scripts
The Parrot Traffic Direction System (TDS), a malicious script that redirects website visitors to dangerous destinations, has been observed to be evolving and becoming increasingly difficult to detect.
Cybersecurity researchers Unit 42 of Palo Alto Networks recently analyzed 10,000 Parrot landing page scripts collected between August 2019 and October 2023.
They concluded that the majority of the scripts (75%) were new and represented the fourth iteration of the code. Another 18% were from the previous version, while the remaining 7% were running older scripts.
Different charges for different victims
Compared to the older versions, the fourth iteration comes with a number of improvements, including improved obfuscation with complex code structure and encryption mechanisms. In addition, the fourth version has different array indexing and processing that disrupts pattern recognition and signature-based detection, and comes with a variation in string and number processing.
In terms of efficiency and productivity, Parrot TDS remains as useful as ever. It profiles the victim’s environment and drops different charges depending on the circumstances found. Unit 42 found a total of nine different loads that are not that different from each other. There are “minor blackout changes” and checks on the operating system.
In most cases (70%), Parrot will drop the second version of the payload without any obfuscation.
To stay safe, website owners should scan their servers for suspicious PHP files. They should also scan the ndsj, ndsw, and ndsx keywords and use firewalls to block web shell traffic. Finally, they should deploy URL filtering tools to block traffic coming from known malicious URLs and IP addresses.
Parrot TDS was first discovered in April 2022 by cybersecurity researchers at Avast. It was then said that the script had probably been active since 2019 and managed to infect over 16,500 websites.
Through BleepingComputer