Parrot TDS poses immediate risk to web developers worldwide

Red padlock open on electric circuits network dark red background
(Image credit: Shutterstock/Chor muang)

Staying up to date with the ever-evolving security landscape is central to maintaining the security of webservers and keeping potential threats at bay. 

There are several key threats to webservers that are important to be aware of, to prevent and mitigate those risks. DoS and DDoS attacks, SQL injections, unpatched software and cross-site scripting, to name a few. 

Now, a recent discovery from threat researchers at Avast has shone a light on an immediate and significant risk to web developers worldwide, named Parrot TDS.

What is a TDS?

Traffic Direction Systems (TDS) are not new. They have been an enemy of web-developers for several years. Used as landing pages that direct unsuspecting users to malicious content, TDS serve as a gateway for delivering various malicious campaigns via infected sites.

Many TDS’ have reached a high level of sophistication and often allow attackers to set parameters which look at users’ geolocation, browser type, cookies, and which website they came from. 

This is used to target victims who meet certain conditions and then only display phishing pages to them. These parameters are usually set so that each user is only shown a phishing page once to prevent servers from overloading.

Parrot TDS

In February, Avast’s threat researchers discovered a swarm of attacks using a new Traffic Direction System (TDS) to take control of the victim’s devices. The new TDS, named Parrot TDS, emerged in recent months and has already reached hundreds of thousands of users worldwide, infecting various webservers hosting over 16,500 websites.

One of the main factors distinguishing Parrot TDS from other TDS is how widespread it is and how many potential victims it has. From March 1, 2022, to March 29, 2022, Avast protected more than 600,000 unique users from around the globe visiting sites infected with Parrot TDS, including over 11,000 users in the U.K. In this timeframe, Avast protected the most users in Brazil (73,000) and India (55,000); and more than 31,000 unique users from the US.

In this particular case, the infected sites’ appearances are altered by a campaign called FakeUpdate, which uses JavaScript to display fake notices for users to update their browsers, offering an update file for download. The file we have observed being delivered to victims is a remote access tool called NetSupport Manager which is misused by attackers to give them full access to victims’ computers.

Parrot TDS also creates a backdoor on the infected webservers in the form of a PHP script to act as a backup option for the attacker.

FakeUpdate

Like Parrot TDS, FakeUpdate also performs a preliminary scan to collect information about the site visitor before displaying the phishing message. The scan checks which antivirus product is on the device to determine whether or not to display the phishing message. 

The distributed tool is configured in such a way that the user has very little chance of noticing it and if the file displayed by FakeUpdate is run by the victim, the attackers gain full access to their computer. 

The researchers observed other phishing sites being hosted on the Parrot TDS infected sites, but cannot conclusively tie them to Parrot TDS. 

CMS sites

We believe attackers are exploiting webservers of poorly secured content management systems, like WordPress and Joomla sites, by logging into accounts with weak credentials to gain admin access to the servers.  

WordPress has a long history of being a very rich and desirable target for exploits. This is because the software is based on running a series of PHP scripts, which is a popular venue for hackers. The sheer number of components, including plug-ins, themes, and other scripts, makes it hard to prevent potential infections or compromises.

On top of this, many WordPress websites are running older versions that could be behind several major releases, which leads to security vulnerabilities being left unpatched. In addition, some administrators are inexperienced in IT operational security or simply overburdened with other responsibilities and can’t dedicate enough time to implementing the necessary security measures to ensure the safety of a WordPress site.

How developers can protect their servers

Nevertheless, there are steps web developers can take to protect their servers against these attacks, starting with simply scanning all files on the webserver with an antivirus program. Further steps developers can take are:

- Replace all JavaScript and PHP files on the webserver with original files
- Use the latest CMS version
- Use the latest versions of installed plugins
- Check for automatically running tasks on the webserver (for example, cron jobs)
- Check and set up secure credentials, and use unique credentials for every service
- Check administrator accounts on the server, making sure each of them belongs to developers and have strong passwords
- When applicable, set up 2FA for all the webserver admin accounts
- Use available security plugins (WordPress, Joomla)

How site visitors can avoid falling victim to phishing

For site visitors, it’s as crucial as ever to be vigilant online. If a site being visited appears different than expected, visitors should leave the site and not download any files or enter any information. 

Similarly, visitors should only download updates directly from browser settings and never via other channels.

TOPICS
Malware Researcher at Avast

Jan is a Malware Researcher at Avast. He has been working in cybersecurity for four years and has published several research articles, including Parrot TDSCoinHelper, and MyKings. Jan holds a Master’s degree in Computer Security from the Czech Technical University, Prague, where he is also a guest lecturer in Malware and Reverse Engineering.