Threat Research

Parrot TDS takes over web servers and threatens millions – Avast Threat Labs

Securonix

Parrot TDS is a pervasive traffic direction system that hijacks compromised web servers to deliver malicious campaigns such as FakeUpdate, reaching users worldwide. Avast Threat Labs notes it has been active since October 2021, with hundreds of thousands of users protected and the potential to infect millions.
#ParrotTDS #FakeUpdate

Keypoints

  • Parrot TDS uses tens of thousands of compromised websites (WordPress/Joomla) as a gateway for malicious campaigns.
  • The FakeUpdate (SocGholish) campaign displays fake update notices and delivers a remote access tool to victims.
  • Two Parrot TDS variants exist: proxied (malicious PHP backdoor) and direct (C2-delivered JavaScript), each with its own infection chain.
  • The infection chain employs layered user filtering (IP, User-Agent, referrer) and FakeUpdate-based device fingerprinting before showing the malicious content.
  • The final payload delivers in two phases: a PowerShell drop, then a NetSupport RAT that persists and provides remote access.
  • Phishing pages (e.g., Microsoft login) were hosted on compromised servers as part of the campaigns.
  • Avast Threat Labs provides defenses for developers (scanning, up-to-date CMS/plugins, credentials, 2FA, security plugins).

MITRE Techniques

  • [T1078] Valid Accounts – Gained admin access to servers via poorly secured credentials. “we assume the attackers took advantage of poorly secured servers, with weak login credentials, to gain admin access to the servers.”
  • [T1505.003] Web Shell – Traditional web shells found on infected servers, parroting folder names for persistence and access. “we also identified a traditional web shell on the infected web servers, which was located in various locations under different names but still following the same “parroting” pattern.”
  • [T1027] Obfuscated/Compressed Files and Information – Use of obfuscated JavaScript and a Base64 encoded ZIP to deliver payloads. “This JavaScript also contains a Base64 encoded ZIP file with one malicious JavaScript file inside.”
  • [T1059.001] PowerShell – Final payload delivered after a PowerShell script is dropped and executed. “In the first phase, a PowerShell script is dropped and run by the malicious JavaScript code.”
  • [T1105] Ingress Tool Transfer – Final payload downloaded to AppDataRoaming after initial stages. “This payload is downloaded to the AppDataRoaming folder.”
  • [T1060] Registry Run Keys/Startup Folder – NetSupport RAT auto-starts via Run key for persistence. “The RAT is commonly named ctfmon.exe… It is also automatically started when the computer is switched on by setting an HKCU…Run registry key.”
  • [T1566.001] Phishing – Phishing sites imitating legitimate pages hosted on compromised servers. “phishing sites… imitating, for example, a Microsoft office login page.”

Indicators of Compromise

  • [Domain] Parrot TDS/C2 domains – clickstat360[.]com, statclick[.]net, and 4 more domains
  • [Domain] FakeUpdate C2 domains – parmsplace[.]com, ahrealestatepr[.]com, and 3 more domains
  • [IP] C2/IP addresses – 109.234.35[.]249, 141.136.35[.]157, and 2 more IPs
  • [SHA256] Parrot TDS – e22e88c8ec0f439eebbb6387eeea0d332f57c137ae85cf1d8d1bb4c7ea8bd2f2, daabdec3d5a43bb1c0340451be466d9f90eaa0cfac92fb6beaabc59452c473c3, and 1 more
  • [SHA256] FakeUpdate – 0046fad95da901f398f800ece8af479573a08ebf8db9529851172ead01648faa, 15afd9eb66450b440d154e98ed82971f1b968323ff11b839b046ae4bec60f855
  • [SHA256] NetSupport RAT – b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad, 8ad9c598c1fde52dd2bfced5f953ca0d013b0c65feb5ded73585cfc420c95a95, 4fffa055d56e48fa0c469a54e2ebd857f23eca73a9928805b6a29a9483dffc21
  • [Filename] Executables/Files – ctfmon.exe, remcmdstub.exe, client32.ini

Read more: https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/