Home > Cyber News > Parrot TDS Uses Tens of Thousands Infected Sites to Distribute a RAT

Parrot TDS Uses Tens of Thousands Infected Sites to Distribute a RAT

parrot tds

Cybersecurity researchers detected a new TDS (Traffic Direction System), called Parrot, that uses tens of thousands of compromised websites.

Parrot TDS Uses a Large Network of Infected Sites

Parrot TDS has infected multiple web servers that host more than 16,500 websites, said Decoded (Avast) researchers. The websites include categories such as adult, personal, university, and local government. TDS networks act as gateways, and in the case of Parrot, the infected sites are altered by a FakeUpdate (SocGholish) campaign that uses JavaScript to display fake notifications for browser updates, delivering a remote access tool to victims.

Researchers believe that Parrot TDS is similar to Prometheus TDS that came out in the wild last spring. However, Parrot is more robust, with a more powerful reach. The researchers observed “increased activity of the Parrot TDS in February 2022 by detecting suspicious JavaScript files on compromised web servers,” according to the report. After performing an analysis, the researchers discovered several types of campaigns that use Parrot. The TDS itself has been active at least since October 2021.

The compromised sites have nothing in common with one another, apart from servers that host poorly secured CMS sites, such as WordPress.

“From March 1, 2022 to March 29, 2022, we protected more than 600,000 unique users from around the globe from visiting these infected sites. In this time frame, we protected the most users in Brazil, more than 73,000 unique users, India, nearly 55,000 unique users, and more than 31,000 unique users from the US,” the report noted.

Parrot TDS: the Fake Update Campaign Explained

The FakeUpdate campaign provides a second layer of defense that uses a number of mechanisms, such as using unique URLs that deliver malicious content to only one specific user. The last defense mechanism is scanning the user’s PC, performed by several JavaScript codes sent to the user by the FakeUpdate C2 server. This scan’s purpose is to harvest the following information from the victim:

Name of the PC
User name
Domain name
BIOS version
Antivirus and antispyware products
MAC address
OS version

The final payload of the operation is a RAT, commonly named ctfmon.exe, mimicking the name of a legitimate program. The malicious tool is automatically started when the computer is switched on by setting an HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key, the report added.

Previously Active TDS Systems

It is curious to mention that, with the improvement of browsers, the use of exploit kits began to decline, and TDS systems replaced them. In fact, traffic distribution systems were a crucial component of exploit kits, but since EKs declined, TDS became more popular in malware distribution campaigns. An example of a largely used TDS is BlackTDS, which emerged in 2018. It provided plenty of services, known as Cloud TDS. The Cloud TDS package handled social engineering and redirection to EKs while evading detection by researchers and sandboxes. BlackTDS also had access to fresh domains with clean reputations over HTTPS.

Another example of a TDS is ElTest, which was sinkholed in April 2018. It was considered the largest TDS before it was taken down.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree