Brother
Professional
- Messages
- 2,590
- Reaction score
- 539
- Points
- 113
Obfuscation and changes in the code structure make it very difficult to detect JavaScript injections.
Cybersecurity researchers analyzed more than 10,000 scripts used by a traffic redirection system (TDS) called Parrot, and found significant developments in optimizing these scripts. Improvements make malicious code less visible to security systems and, as a result, more dangerous.
The Parrot TDS system was first discovered by Avast in April 2022. It is assumed that it has been active since 2019. The main goal is to attack vulnerable sites on WordPress and Joomla using JavaScript code that redirects users to malicious resources.
According to Avast data for 2022, the Parrot system infected at least 16,500 websites, which indicates the scale of the operation. Parrot operators sell traffic to attackers who use it to profile visitors to infected sites and redirect them to phishing pages or resources that distribute malware.
The Unit 42 team from Palo Alto Networks indicates in a recent report that Parrot TDS remains active, and its operators continue to complicate the detection and removal of JavaScript injections. A study of 10,000 Parrot scripts collected from August 2019 to October 2023 revealed four iterations of the system's development, demonstrating progress in applying obfuscation techniques.
Malicious Parrot scripts help in user profiling and force the victim's browser to download malicious scripts from the attacker's redirecting server.
According to Unit 42, most of the infections in the analyzed sample switched to the newest version of the script. And for good reason. In the fourth version, improvements were introduced, such as a complex code structure, various methods for indexing arrays and processing strings, which definitely makes it more difficult to recognize and detect based on signatures.
Despite additional layers of obfuscation and changes in the code structure, the main functionality of version 4 remains unchanged-profiling the victim's environment and initiating the download of a malicious script.
In addition, Unit 42 found 9 variants of loader scripts responsible for redirecting users. In 70% of cases, version 2 is used without obfuscation. Versions 4-5 added obfuscation layers, which became more complex in versions 6-9, although these versions are quite rare on compromised sites.
Parrot TDS continues to be an active and evolving threat. Website owners are advised to check their servers for suspicious PHP files, scan the ndsj, ndsw, and ndsx keywords, use firewalls to block web shell traffic, and use filtering tools to block known malicious URLs and IP addresses.
Cybersecurity researchers analyzed more than 10,000 scripts used by a traffic redirection system (TDS) called Parrot, and found significant developments in optimizing these scripts. Improvements make malicious code less visible to security systems and, as a result, more dangerous.
The Parrot TDS system was first discovered by Avast in April 2022. It is assumed that it has been active since 2019. The main goal is to attack vulnerable sites on WordPress and Joomla using JavaScript code that redirects users to malicious resources.
According to Avast data for 2022, the Parrot system infected at least 16,500 websites, which indicates the scale of the operation. Parrot operators sell traffic to attackers who use it to profile visitors to infected sites and redirect them to phishing pages or resources that distribute malware.
The Unit 42 team from Palo Alto Networks indicates in a recent report that Parrot TDS remains active, and its operators continue to complicate the detection and removal of JavaScript injections. A study of 10,000 Parrot scripts collected from August 2019 to October 2023 revealed four iterations of the system's development, demonstrating progress in applying obfuscation techniques.
Malicious Parrot scripts help in user profiling and force the victim's browser to download malicious scripts from the attacker's redirecting server.
According to Unit 42, most of the infections in the analyzed sample switched to the newest version of the script. And for good reason. In the fourth version, improvements were introduced, such as a complex code structure, various methods for indexing arrays and processing strings, which definitely makes it more difficult to recognize and detect based on signatures.
Despite additional layers of obfuscation and changes in the code structure, the main functionality of version 4 remains unchanged-profiling the victim's environment and initiating the download of a malicious script.
In addition, Unit 42 found 9 variants of loader scripts responsible for redirecting users. In 70% of cases, version 2 is used without obfuscation. Versions 4-5 added obfuscation layers, which became more complex in versions 6-9, although these versions are quite rare on compromised sites.
Parrot TDS continues to be an active and evolving threat. Website owners are advised to check their servers for suspicious PHP files, scan the ndsj, ndsw, and ndsx keywords, use firewalls to block web shell traffic, and use filtering tools to block known malicious URLs and IP addresses.
