In excess of 16,500 Internet sites Hacked to Distribute Malware by means of Website Redirect Assistance

A new targeted traffic direction method (TDS) termed Parrot has been noticed leveraging tens of hundreds of compromised sites to launch additional destructive strategies.

“The TDS has contaminated numerous world wide web servers internet hosting more than 16,500 internet websites, ranging from grownup articles web sites, personal internet websites, university web-sites, and nearby govt websites,” Avast scientists Pavel Novák and Jan Rubín stated in a report printed last 7 days.

Website traffic direction units are utilised by risk actors to establish regardless of whether or not a focus on is of fascination and need to be redirected to a destructive domain below their regulate and act as a gateway to compromise their techniques with malware.


Earlier this January, the BlackBerry Investigate and Intelligence Group detailed one more TDS called Prometheus that has been set to use in diverse campaigns mounted by cybercriminal teams to distribute Campo Loader, Hancitor, IcedID, QBot, Buer Loader, and SocGholish malware.

What helps make Parrot TDS stand out is its large achieve, with enhanced activity noticed in February and March 2022, as its operators have generally singled out servers hosting poorly secured WordPress web-sites to acquire administrator entry.

Most of the consumers specific by these malicious redirects are located in Brazil, India, the U.S, Singapore, Indonesia, Argentina, France, Mexico, Pakistan, and Russia.

“The infected sites’ appearances are altered by a marketing campaign known as FakeUpdate (also known as SocGholish), which employs JavaScript to show fake notices for buyers to update their browser, supplying an update file for download,” the scientists stated. “The file noticed staying shipped to victims is a distant entry software.”


Parrot TDS, by using an injected PHP script hosted on the compromised server, is designed to extract consumer facts and forward the ask for to the command-and-command (C2) server upon visiting a person of the contaminated sites, in addition to enabling the attacker to complete arbitrary code execution on the server.

The response from the C2 server requires the form of JavaScript code which is executed on the consumer machine, exposing the victims to probable new threats. Also observed along with the destructive backdoor PHP script is a web shell that grants the adversary persistent distant obtain to the website server.

Calling the prison actors powering the FakeUpdate marketing campaign a commonplace buyer of Parrot TDS, Avast reported the assaults associated prompting users to obtain malware less than the guise of rogue browser updates, a remote entry trojan named “ctfmon.exe” that gives the attacker complete access to the host.