Parrot traffic direction system (TDS), a malicious script that redirects website visitors to dangerous destinations, was observed evolving and becoming harder to detect.
Cybersecurity researchers Unit 42, from Palo Alto Networks, recently analyzed 10,000 Parrot landing page scripts, gathered between August 2019 and October 2023.
They concluded the majority of the scripts (75%) were new, representing the fourth iteration of the code. Another 18% were of the previous version, while the remaining 7% were running older scripts.
Different payloads for different victims
Compared to the older versions, the fourth iteration comes with a number of enhancements, including improved obfuscation with complex code structure and encoding mechanisms. Furthermore, the fourth version has different array indexing and handling that disrupts pattern recognition and signaturebased detection, and comes with a variation in the handling of strings and numbers.
As for its efficiency and productivity, Parrot TDS remains as useful as ever. It profiles the victim’s environment and, depending on the conditions found, drops different payloads. Unit 42 found a total of nine different payloads who, among themselves, don’t differ that greatly. There are “minor obfuscation changes” and target OS checks.
In most cases (70%), Parrot will drop the second version of the payload with doesn’t come with any obfuscation.
To remain secure, website owners should search their servers for suspicious php files. They should also scan the ndsj, ndsw, and ndsx keywords, and use firewalls to block webshell traffic. Finally, they should deploy URL filtering tools to block traffic coming from known malicious URLs and IP addresses.