Hacked websites are being put at even greater risk by malicious web redirect scripts

News
By published

Parrot TDS is finding new ways to keep its code hidden from website owners

Representational image of internet connections against a cityscape.
Vad är Wifi 7? (Image credit: Shutterstock / metamorworks)

Parrot traffic direction system (TDS), a malicious script that redirects website visitors to dangerous destinations, was observed evolving and becoming harder to detect.

Cybersecurity researchers Unit 42, from Palo Alto Networks, recently analyzed 10,000 Parrot landing page scripts, gathered between August 2019 and October 2023. 

They concluded the majority of the scripts (75%) were new, representing the fourth iteration of the code. Another 18% were of the previous version, while the remaining 7% were running older scripts.

Different payloads for different victims

Compared to the older versions, the fourth iteration comes with a number of enhancements, including improved obfuscation with complex code structure and encoding mechanisms. Furthermore, the fourth version has different array indexing and handling that disrupts pattern recognition and signature-based detection, and comes with a variation in the handling of strings and numbers. 

As for its efficiency and productivity, Parrot TDS remains as useful as ever. It profiles the victim’s environment and, depending on the conditions found, drops different payloads. Unit 42 found a total of nine different payloads who, among themselves, don’t differ that greatly. There are “minor obfuscation changes” and target OS checks. 

In most cases (70%), Parrot will drop the second version of the payload with doesn’t come with any obfuscation.

To remain secure, website owners should search their servers for suspicious php files. They should also scan the ndsj, ndsw, and ndsx keywords, and use firewalls to block webshell traffic. Finally, they should deploy URL filtering tools to block traffic coming from known malicious URLs and IP addresses. 

Parrot TDS was first discovered in April 2022, by cybersecurity researchers from Avast. It was then said that the script was probably active since 2019, managing to infect more than 16,500 websites.

Via BleepingComputer

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.