Parrot TDS network

The Parrot traffic direction system(TDS), which was reported earlier this year, had a more profound impact than thought before, research stated.

Since February 2019, Sucuri has been following the campaign under the name “”NDSW/NDSX”  and stated that  “the malware was one of the top infections” identified in 2021, accounting for more than 61,000 websites. 

Avast, a Czech cybersecurity company, chronicled Parrot TDS in April 2022; Avast observed that the PHP script had trapped and turned web servers, which hosted more than 16,500 websites, into a gateway for launching further attacks. 

The attack entailed adding a piece of malicious code to all JavaScript files on compromised web servers storing content management systems (CMS) such as WordPress, which are breached because of weak login credentials and vulnerable plugins.

The “injected JavaScript may be well indented so that it can evade the eyes of a casual observer along with using different obscuring tactics to hide the code, said Sucuri researcher Denis Sinegubko.

JavaScript code initiates the second phase of the attack to execute a PHP script planted on the ever and works to collect information about a site visitor (e.g., IP address, referrer, browser, etc.) and transmit the details to a remote server.

The third layer of the attack arrives in the form of a JavaScript code from the server, which acts as a traffic direction system to decide the exact payload to deliver for a specific user based on the information shared in the previous step.

“Once the TDS has verified the eligibility of a specific site visitor, the NDSX script loads the final payload from a third-party website,” Sinegubko said. The most commonly used third-stage malware is a JavaScript downloader named FakeUpdates (aka SocGholish).

In 2021 alone, Sucuri said it removed Parrot TDS from nearly 20 million JavaScript files found on infected sites. In the first five months of 2022, over 2,900 PHP and 1.64 million JavaScript files have been observed containing the malware.

“The NDSW malware campaign is extremely successful because it uses a versatile exploitation toolkit that constantly adds new disclosed and 0-day vulnerabilities,” Sinegubko explained.

“Once the bad actor has gained unauthorized access to the environment, they add various backdoors and CMS admin users to maintain access to the compromised website long after the original vulnerability is closed.”