Cybersecurity researchers detected a new TDS (Traffic Direction System), called Parrot, that uses tens of thousands of compromised websites.
Parrot TDS Uses a Large Network of Infected Sites
The compromised sites have nothing in common with one another, apart from servers that host poorly secured CMS sites, such as WordPress.
“From March 1, 2022 to March 29, 2022, we protected more than 600,000 unique users from around the globe from visiting these infected sites. In this time frame, we protected the most users in Brazil, more than 73,000 unique users, India, nearly 55,000 unique users, and more than 31,000 unique users from the US,” the report noted.
Parrot TDS: the Fake Update Campaign Explained
Name of the PC
Antivirus and antispyware products
The final payload of the operation is a RAT, commonly named ctfmon.exe, mimicking the name of a legitimate program. The malicious tool is automatically started when the computer is switched on by setting an HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key, the report added.
Previously Active TDS Systems
It is curious to mention that, with the improvement of browsers, the use of exploit kits began to decline, and TDS systems replaced them. In fact, traffic distribution systems were a crucial component of exploit kits, but since EKs declined, TDS became more popular in malware distribution campaigns. An example of a largely used TDS is BlackTDS, which emerged in 2018. It provided plenty of services, known as Cloud TDS. The Cloud TDS package handled social engineering and redirection to EKs while evading detection by researchers and sandboxes. BlackTDS also had access to fresh domains with clean reputations over HTTPS.
Another example of a TDS is ElTest, which was sinkholed in April 2018. It was considered the largest TDS before it was taken down.