Prague, Czech Republic, April 7, 2022 — Threat researchers at Avast (LSE:AVST), a global leader in digital security and privacy, discovered a new malicious Traffic Direction System (TDS), Parrot TDS, which has infected various web servers hosting more than 16,500 websites. The affected websites range from adult content sites, personal websites, university sites, to local government sites, and their appearances are altered to show a phishing page claiming the user needs to update their browser. When a user runs the browser update file offered, a Remote Access Tool (RAT) is downloaded, giving attackers full access to victims’ computers.
“Traffic Direction Systems serve as a gateway for the delivery of various malicious campaigns via the infected sites,” said Jan Rubin, malware researcher at Avast. “At the moment, a malicious campaign called ‘FakeUpdate’ (also known as SocGholish) is being distributed via Parrot TDS, but other malicious activity could be performed in the future via the TDS."
Weak Credentials give Parrot TDS wide reach
The Avast researchers Jan Rubin and Pavel Novak believe attackers are exploiting web servers of poorly secured content management systems, like WordPress and Joomla sites, by logging into accounts with weak credentials to gain admin access to the servers.
“The only thing the sites have in common is that they are WordPress and in some cases Joomla sites. We, therefore, suspect weak login credentials were taken advantage of to infect the sites with malicious code,” said Pavel Novak, ThreatOps Analyst at Avast. “The robustness of Parrot TDS and its huge reach makes it unique.”
Parrot TDS allows attackers to set parameters to only display phishing pages to potential victims who meet certain conditions, which look at users’ browser type, cookies, and which website they came from. These parameters are set so that each user is only shown a phishing page once, to prevent Parrot TDS’ servers from overloading.
From March 1, 2022 - March 29, 2022, Avast protected more than 600,000 unique users from around the globe visiting sites infected with Parrot TDS. In this timeframe, Avast protected the most users in: Brazil, more than 73,000 unique users; India, nearly 55,000 unique users; and more than 31,000 unique users from the US.
In addition to the FakeUpdate campaign, the Avast researchers observed other phishing sites being hosted on the Parrot TDS infected sites, but cannot conclusively tie these to Parrot TDS.
How developers can protect their servers
- Scan all files on the web server with an antivirus program, like Avast Antivirus
- Use the latest CMS version
- Use the latest versions of installed plugins
- Check for automatically running tasks on the web server (for example, cron jobs)
- Check and set up secure credentials, and use unique credentials for every service
- Check administrator accounts on the server, making sure each of them belongs to developers and have strong passwords
- When applicable, set up 2FA for all the web server admin accounts
- Use available security plugins (WordPress, Joomla)
How site visitors can avoid falling victim to phishing
- If the site being visited appears different than expected, site visitors should leave the site and not download any files or enter any information
- Only download updates directly from browser settings, never via any other channels
The full analysis can be found on the Decoded blog: https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/