Malware Controlling Thousands of Sites in the Parrot TDS Network Discovered by Researchers According to new research, the Parrot traffic direction system (TDS) that was revealed earlier this year had a greater impact than previously thought.

Sucuri, which has been tracking the same campaign under the name “NDSW/NDSX” since February 2019, stated that “the malware was one of the top infections” detected in 2021, accounting for over 61,000 websites.

Avast, a Czech cybersecurity company, documented Parrot TDS in April 2022, noting that the PHP script had ensnared web servers hosting more than 16,500 websites to act as a gateway for further attack campaigns.

This entails appending malicious code to all JavaScript files on compromised web servers hosting content management systems (CMS) like WordPress, which are then said to have been breached by exploiting weak login credentials and vulnerable plugins.

In addition to using various obfuscation techniques to conceal the code, the “injected JavaScript may also be found well indented so that it appears less suspicious to a casual observer,” according to Sucuri researcher Denis Sinegubko.

The ndsj variable is used in JavaScript.
The JavaScript code’s purpose is to initiate the second phase of the attack, which is to execute a PHP script that has already been deployed on the server and is designed to collect information about a site visitor (e.g., IP address, referrer, browser, etc.)

NDSW campaign discovered typical obfuscated PHP malware
The third layer of the attack arrives from the server in the form of JavaScript code, which acts as a traffic direction system to determine the exact payload to deliver for a specific user based on the information shared in the previous step.

“Once the TDS has verified a specific site visitor’s eligibility, the NDSX script loads the final payload from a third-party website,” Sinegubko explained. FakeUpdates, a JavaScript downloader, is the most commonly used third-stage malware (aka SocGholish).

Sucuri claimed to have removed Parrot TDS from nearly 20 million JavaScript files found on infected sites in 2021 alone. Over 2,900 PHP and 1.64 million JavaScript files were downloaded in the first five months of 2022.

“The NDSW malware campaign is extremely successful because it employs a versatile exploitation toolkit that is constantly updated with new disclosed and zero-day vulnerabilities,” Sinegubko said.

“Once the bad actor has gained unauthorized access to the environment, they install various backdoors and CMS admin users to maintain access to the compromised website long after the original vulnerability has been fixed.”

Have you enjoyed reading this article? To read more exclusive material from THN, follow us on Facebook. Malware Controlling Thousands of Sites in the Parrot TDS Network Discovered by Researchers

Share.

Leave A Reply