Malicious Web Redirection Service Infects 16,500 Sites to Spread Malware


A new traffic directing system (TDS) called Parrot relies on servers that host 16,500 websites for universities, local governments, adult content platforms and personal blogs.

Parrot is used for malicious campaigns to redirect potential victims matching a specific profile (localization, language, operating system, browser) to online resources such as phishing and malware depot sites.

Hackers running malicious campaigns purchase TDS services to filter incoming traffic and send it to an end destination delivering malicious content.

TDS are also used legitimately by advertisers and marketers, and some of these services have been exploited in the past to facilitate spam campaigns.

Used for RAT distribution

Parrot TDS was discovered by Avast threat analysts, who report that it is currently being used for a campaign called FakeUpdate, which delivers Remote Access Trojans (RATs) via fake update notices of the browser.

Site displaying the fake browser update notice
Site showing fake browser update warning (avast)

The campaign appears to have started in February 2022, but signs of Parrot activity date back to October 2021.

“One of the main things that sets Parrot TDS apart from other TDSs is its spread and number of potential victims,” Avast comments in the report.

“The compromised websites we found appear to have nothing in common other than servers hosting poorly secured CMS sites, such as WordPress sites.”

Malicious JavaScript code seen in compromised sites
Malicious JavaScript code seen in compromised sites (avast)

Threat actors have planted a malicious web shell on compromised servers and copied it to various locations under similar names that follow a “parroting” pattern.

Additionally, adversaries use a PHP backdoor script that extracts client information and forwards requests to the Parrot TDS command-and-control (C2) server.

In some cases, operators use a shortcut without the PHP script, sending the request directly to the Parrot infrastructure.

Parrot direct redirect and proxy
Parrot direct redirect and proxy (avast)

Avast claims that in March 2022 alone, its services protected more than 600,000 of its customers from visiting these infected sites, indicating the massive scale of the Parrot redirect gateway.

Most of the users targeted by these malicious redirects were located in Brazil, India, United States, Singapore, and Indonesia.

Heatmap of Parrot redirect attempts
Heatmap of Parrot redirect attempts (avast)

As Avast details in the report, the user profiling and filtering of the particular campaign is so fine-tuned that malicious actors can target a specific person among thousands of redirected users.

This is achieved by sending this target unique payload drop URLs based on hardware, software, and WAN profiling.

The payload dropped onto target systems is the NetSupport Client RAT configured to run silently, which provides direct access to compromised machines.

Details of the dropped payload
Details of the dropped payload (avast)

Phishing Microsoft credentials

While the RAT campaign is currently the main operation served by the Parrot TDS, Avast analysts have also noticed several infected servers hosting phishing sites.

These landing pages resemble a legitimate-looking Microsoft login page asking visitors to enter their account credentials.

One of the phishing sites served by the Parrot TDS
One of the phishing sites served by the Parrot TDS (avast)

For users who browse the web, having an up-to-date Internet security solution that works all the time is the best way to deal with malicious redirects.

For administrators of potentially compromised web servers, Avast recommends the following actions:

  • Scan all files on the web server with an antivirus.
  • Replace all JavaScript and PHP files on the web server with the original ones.
  • Use the latest CMS version and plugin versions.
  • Check for tasks run automatically on the web server, such as cron jobs.
  • Always use unique and strong credentials for each service and all accounts, and add 2FA if possible.
  • Use some of the security plugins available for WordPress and Joomla

Comments are closed.