Millions at Risk As 'Parrot' Web Server Compromises Take Flight

Threat actors behind a traffic redirect system (TDS) that's been active since October 2021 have ramped up efforts to elude detection and can potentially reach millions of people with malicious scripts hidden in thousands of compromised websites.

Researchers from Unit 42 have been tracking Parrot TDS since they investigated a notification concerning a compromised website based in Brazil in early September, they revealed in a recent blog post. An investigation found that the website served pages with injected JavaScript identified as part of the Parrot TDS system, which controls thousands of compromised servers around the world delivering numerous variations of malicious JavaScript snippets. In a previous investigation in 2022 from Sucuri and Avast, for example, researchers observed websites that had been compromised with Parrot TDS delivering the FakeUpdates downloader (aka SocGholish) to unsuspecting visitors.

"Parrot TDS is part of an ongoing campaign targeting victims across the globe," Unit 42 researchers wrote in the post. "We see landing script or payload script samples daily from a variety of websites compromised through this campaign. "

Parrot injects malicious scripts into existing JavaScript code hosted on the server, which first profile the victim to see if certain conditions are met, and then serve up a payload script that can direct the victim's browser to a malicious location or piece of content. The campaign is agnostic in terms of nationality, geography, and industry, with scripts appearing on scores of sites across the globe, the researchers said.

"While campaigns involving malicious or injected JavaScript code are fairly common, Parrot TDS is notable due to its wide scope and ability to threaten millions of potential victims," the researchers wrote.

The attackers behind the system also have bolstered efforts to evade detection and analysis by security researchers, including a technique that uses multiple lines of injected JavaScript code rather than a single line of code, which is harder to spot in a script file, the researchers said.

Identifying Malicious Parrot TDS Scripts

Attackers likely use automatic tools to exploit known vulnerabilities to take over servers to deliver Parrot TDS scripts, the researchers said.

"The majority of the compromised servers use WordPress, Joomla or other content management systems (CMS) to host a website," they explained in the post. "Even websites without CMS could be compromised through this campaign, since server-side vulnerabilities are not limited to CMS."

Parrot TDS scripts come in two forms — a landing script, which conducts environment checks as a way to avoid detection to see if the victim is a viable candidate to deliver a follow-up payload script, which redirects to malicious content.

There are about nine versions of Parrot TDS payload scripts, which use an "ndsx" keyword and thus make them relatively easy to identify. All of the scripts are malicious except for V1, which only sets a cookie value for the victim and is otherwise benign, the researchers said.

V2 is the most common payload script, representing more than 70% of the samples that the researchers identified. Without any obfuscation, it creates a new script tag to load JavaScript from a malicious URL.

Parrot TDS payload script V3 contains obfuscation and only targets victims running Microsoft Windows to then act similarly to V2, loading an additional script from a malicious URL.

V4 and V5 payload scripts also are similar, with the former being essentially a V1 payload script plus additional malicious code, while V5 is effectively a V2 payload script plus additional code. In both cases, the additional code appears before the original V1 or V2 functions, the researchers said.

"The core function of this extra payload script code is to hook all clickable links in the landing page," they explained. "Whenever a visitor to the webpage clicks a link, the script will create a new image object and load from a specific URL."

V6 through V9 of the payload script include more obfuscation as well, but the researchers rarely saw them being used in the wild, they said.

Mitigation & Protection from Parrot's Bite

The researchers included a list of indicators of compromise (IoCs) in their blog post that can alert website administrators if Parrot TDS has compromised their sites. They include a list of SHA256 hashes for 100 examples of JavaScript files with injected landing script code for Parrot TDS, files that the researchers also have submitted to VirusTotal.

Administrators also can search files hosted on the associated Web server for keywords associated with the campaign, including "ndsj," "ndsw," and "ndsx," as well as conduct an audit to discover any extra .php files on a Web server to discover malicious scripts associated with Parrot TDS.

Next-generation firewall technology and advanced URL filtering also can help block malicious traffic and identified IoCs associated with the campaign, the researchers said.