Parrot Traffic Direction System (TDS) Attacks

Anastasiia Yevdokimova
Latest posts by Anastasiia Yevdokimova (see all)
WRITTEN BY
Anastasiia Yevdokimova
[post-views]
April 15, 2022 · 4 min read
Novel Parrot TDS

A novel Traffic Direction System (TDS), dubbed Parrot TDS, takes advantage of a network of hacked servers that host websites to route victims that fit the required profile to domains used to run scamming schemes or distribute malware. According to the current data, the number of compromised websites has reached 16,500 and counting. Adversaries primarily target legitimate servers, hosting databases, and websites of educational institutions, governmental resources, and X-rated content platforms.

Detect Malicious Activity Associated With Parrot TDS

To detect malicious files planted in your system by Parrot TDS operators, utilize the Sigma-based rule created by our Threat Bounty developer Furkan Celik, who is always on the lookout for emerging threats:

Parrot Traffic Direction System(TDS) Hijacks Web Servers with NetSupport RAT installation (via file_event)

This detection is available for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, Graylog, Regex Grep, RSA NetWitness, Chronicle Security, Securonix, Apache Kafka ksqlDB, Carbon Black, Open Distro, and AWS OpenSearch.

The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Command and Control tactic with Remote Access Software (T1219) as the primary technique.

Browse through the vast library of rules available in the SOC Prime’s platform to find other relevant threat detection content and detect whether your system is infected with malicious files. Are you a professional threat hunter striving to share your expertise with the world’s largest cybersecurity community? Join our crowdsourcing initiative for continuous rewards and recognition with the Threat Bounty program.

View Detections Join Threat Bounty

Campaigns Using Parrot TDS

According to a new report by researchers at Avast, Parrot TDS appeared around October 2021, with the number of campaigns utilizing this tool spiking in February 2022.

Parrot TDS serves as a portal via which more harmful campaigns might reach potential victims. In this scenario, FakeUpdates (also known as SocGholish) alters the appearance of infected sites with JavaScript to display bogus alerts for the browser upgrade, with a required file available for download conveniently at hand. What victims really get is a remote access tool.

When a deceived user visits one of the infected sites, Parrot TDS uses an injected PHP script installed on the compromised website to gather client information and transmit the request to the command-and-control (C2) server, allowing the attacker to execute arbitrary code. The C2 server responds with JavaScript code that runs on the victim’s system and potentially exposing them to further risks. A web shell that provides the adversary persistent remote access to the webserver was also discovered along with the malicious backdoor PHP script. The payload is the NetSupport Client RAT set to run stealthily, granting access to the compromised machine. The mentioned web shell is further copied to multiple locations under almost identical names hence the “parroting” origin of the TDS’s moniker. 

Parrot TDS operators focus their malicious interest on exploiting servers that host WordPress and Joomla-powered websites, unlike its predecessor from early autumn 2020, the TDS tagged Prometheus. In the Prometheus TDS kill chain, threat actors utilized spam emails with an HTML attachment, a Google Docs URL, or a link to a web shell hosted on a hacked server to initiate a vicious process. A malicious URL took victims to a Prometheus PHP backdoor that collected the required information and sent it to the admin panel for the threat actors behind the attacks to decide whether to serve malware directly to the user or divert them to another URL set by the hackers.

Follow SOC Prime blog updates to learn about the latest cybersecurity hot topics and enhance your threat hunting abilities. Eager to share your detection content with the world’s largest cyber defense community? Cybersecurity researchers and content authors across the globe are highly welcome to contribute to collaborative cyber defense, earn recurring rewards, and fight in combating current and evolving threats.

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.
Join for Free Book a Meeting

Related Posts

Akira Ransomware Detection
Blog, Latest Threats — 4 min read
Akira Ransomware Detection: Joint Cybersecurity Advisory (CSA) AA24-109A Highlights Attacks Targeting Businesses and Critical Infrastructure in North America, Europe, and Australia
Veronika Telychko
UAC-0184 Attack Detection Covered in the CERT-UA#9474 Alert
Blog, Latest Threats — 3 min read
UAC-0184 Abuses Messengers and Dating Websites to Proceed with Attacks Against Ukrainian Government and Military
Veronika Telychko
Blog, Latest Threats — 4 min read
russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) Attack Detection: Adversaries Apply an Aggressive Infection Approach Leveraging Three Malware Branches
Veronika Telychko