A Traffic Direction System (TDS) is being used in malicious campaigns to redirect victims matching a specific profile to phishing sites.
The FakeUpdate campaign
Researchers from Avast have discovered Parrot TDS and reported that it’s currently used under a campaign, dubbed FakeUpdate (aka SocGholish), which spreads RATs through fake browser update notices.
The campaign started in February, while the signs of Parrot activity have been traced back to October last year.
The campaign’s user profile and filtering are fine-tuned to target a particular type of victim from thousands of redirected users.
The attackers send unique payload-dropping URLs to the target on the basis of hardware, software, and network profiling.
The dropped payload is NetSupport Client RAT, which provides direct access to the compromised machines.
The Parrot TDS service
Parrot TDS relies on servers hosting 16,500 websites belonging to universities, adult content platforms, local governments, and personal blogs.
The attackers have planted a malicious web shell on compromised servers and copied it to different locations under the names following a parroting pattern.
In some instances, the attackers use a shortcut without the PHP script to send requests directly to the Parrot infrastructure.
Further, the attackers have used a PHP backdoor script to extract client information and forward requests to the Parrot TDS C2 server.
Additionally, researchers have noticed several infected servers hosting phishing sites resembling a legitimate-looking Microsoft login page that asks visitors to input their account credentials.
What to do?