Published on January 23, 2024, 3:10 pm
Parrot Traffic Direction System (TDS), a malicious script designed to redirect website visitors to dangerous destinations, has recently undergone significant evolution, making it more difficult to detect. Researchers from Palo Alto Networks’ Unit 42 analyzed 10,000 Parrot landing page scripts collected between August 2019 and October 2023. Their analysis revealed that the majority of the scripts (75%) were new and represented the fourth iteration of the code. Additionally, 18% were from the previous version, while the remaining 7% were older scripts.
The latest version of Parrot TDS comes with several enhancements compared to its predecessors. These include improved obfuscation techniques using complex code structures and encoding mechanisms. The fourth iteration also includes different array indexing and handling methods that disrupt pattern recognition and signature-based detection. Furthermore, there are variations in how strings and numbers are handled within the script.
Despite these advancements in complexity, Parrot TDS remains as efficient and productive as ever. It profiles the victim’s environment and delivers different payloads based on the conditions it identifies. Unit 42 discovered a total of nine distinct payloads, which differ only slightly from one another through minor obfuscation changes and target operating system checks. Interestingly, in most cases (70%), Parrot TDS drops the second version of the payload without any obfuscation.
To ensure website owners remain secure against this threat, they should conduct regular server searches for suspicious PHP files. In addition, scanning for keywords like “ndsj,” “ndsw,” and “ndsx” is recommended. Employing firewalls to block webshell traffic can also enhance security measures. Lastly, deploying URL filtering tools can effectively block traffic originating from known malicious URLs and IP addresses.
Avast cybersecurity researchers first discovered Parrot TDS in April 2022 but suggested that it had likely been active since 2019, infecting over 16,500 websites during its operation.
In conclusion, the evolving nature of Parrot TDS poses a significant challenge for website owners and their security measures. By implementing proactive strategies such as regular server scanning, effective keyword searches, firewall usage, and URL filtering tools, website owners can protect themselves against this malicious script. Stay vigilant in safeguarding your online properties to prevent potential damage and ensure the safety of your visitors.