Threat Research

Parrot TDS: A Persistent and Evolving Malware Campaign

Securonix

Parrot TDS is a traffic direction system that injects landing scripts into compromised websites to fetch and execute a payload script, steering victims’ browsers to malicious destinations. The campaign has persisted since 2019/2021 and continues to evolve with multiple landing and payload script versions and obfuscation, affecting CMS-hosted sites worldwide. #ParrotTDS #ndsw #ndsj #ndsx

Keypoints

  • Parrot TDS injects landing JavaScript into legitimately hosted pages on compromised servers to control victim redirection.
  • The landing script profiles the victim and, if conditions are met, prompts the browser to fetch a separate payload script from a payload server.
  • Landing scripts rely on keywords like ndsj and ndsw, while payload scripts contain ndsx, enabling researchers to identify variants.
  • Four major landing-script versions (V1–V4) account for most samples; later versions add heavier obfuscation (Canvas, WebAssembly, encoded strings).
  • Payload scripts (nine identified versions) range from benign cookie-setting to loading additional malicious code, with V2 being the most prevalent.
  • Parrot TDS targets websites globally, often via CMS-powered sites (WordPress/Joomla) and via automatic vulnerability exploitation.

MITRE Techniques

  • [T1189] Drive-by Compromise – The attacker compromises a legitimate server and sets it up with Parrot TDS. “Attacker compromises a legitimate server and sets it up with Parrot TDS.”
  • [T1059.007] JavaScript – The landing and payload scripts rely on JavaScript to execute and load additional payloads. “Landing script conducts environment checks… to avoid detection”
  • [T1027] Obfuscated/Compressed Files and Information – Landing scripts show increasing obfuscation with techniques like Canvas, decodeURI or WebAssembly. “more obfuscation techniques such as Canvas, decodeURI or WebAssembly.”
  • [T1105] Ingress Tool Transfer – The landing script contacts a payload server to retrieve the payload script. “The landing script directs the victim’s browser to retrieve a payload script from payload server.”
  • [T1562.001] Impair Defenses – Landing script conducts environment checks as a way to avoid detection. “landing script conducts environment checks as a way to avoid detection.”

Indicators of Compromise

  • [Hash] Landing Script Hashes – 0006060d1efe85b23f68f1b6fc086ab2fd5f2d80ca2e363cd0c000fd5a175ce2, 000954817a815dd64b6f061fbc28a8c7919616bb1708abb58754d680772a935c, and other 98 hashes
  • [Hash] Payload Script Hashes – 0009fe8aa339fb489abcfd711d5c7b2a70b7d57ae55aae3922669f72cbf5964f, 0234918db61115aaa0c3be708084dae30feee8d97a41a011e3fbb06d745c496c, and other 98 hashes
  • [String] Parrot TDS Keywords – ndsj, ndsw, ndsx, and 2 more strings (used in landing/payload scripts)

Read more: https://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/