A novel Traffic Direction System (TDS), dubbed Parrot TDS, takes advantage of a network of hacked servers that host websites to route victims that fit the required profile to domains used to run scamming schemes or distribute malware. According to the current data, the number of compromised websites has reached 16,500 and counting. Adversaries primarily target legitimate servers, hosting databases, and websites of educational institutions, governmental resources, and X-rated content platforms.
To detect malicious files planted in your system by Parrot TDS operators, utilize the Sigma-based rule created by our Threat Bounty developer Furkan Celik, who is always on the lookout for emerging threats:
This detection is available for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, Graylog, Regex Grep, RSA NetWitness, Chronicle Security, Securonix, Apache Kafka ksqlDB, Carbon Black, Open Distro, and AWS OpenSearch.
The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Command and Control tactic with Remote Access Software (T1219) as the primary technique.
Browse through the vast library of rules available in the SOC Prime’s platform to find other relevant threat detection content and detect whether your system is infected with malicious files. Are you a professional threat hunter striving to share your expertise with the world’s largest cybersecurity community? Join our crowdsourcing initiative for continuous rewards and recognition with the Threat Bounty program.
According to a new report by researchers at Avast, Parrot TDS appeared around October 2021, with the number of campaigns utilizing this tool spiking in February 2022.
Parrot TDS operators focus their malicious interest on exploiting servers that host WordPress and Joomla-powered websites, unlike its predecessor from early autumn 2020, the TDS tagged Prometheus. In the Prometheus TDS kill chain, threat actors utilized spam emails with an HTML attachment, a Google Docs URL, or a link to a web shell hosted on a hacked server to initiate a vicious process. A malicious URL took victims to a Prometheus PHP backdoor that collected the required information and sent it to the admin panel for the threat actors behind the attacks to decide whether to serve malware directly to the user or divert them to another URL set by the hackers.
Follow SOC Prime blog updates to learn about the latest cybersecurity hot topics and enhance your threat hunting abilities. Eager to share your detection content with the world’s largest cyber defense community? Cybersecurity researchers and content authors across the globe are highly welcome to contribute to collaborative cyber defense, earn recurring rewards, and fight in combating current and evolving threats.