# Malicious web redirect service infects 16,500 sites to push malware **[bleepingcomputer.com/news/security/malicious-web-redirect-service-infects-16-500-sites-to-push-malware/](https://www.bleepingcomputer.com/news/security/malicious-web-redirect-service-infects-16-500-sites-to-push-malware/)** Bill Toulas By [Bill Toulas](https://www.bleepingcomputer.com/author/bill-toulas/) April 7, 2022 02:45 PM 0 ----- A new traffic direction system (TDS) called Parrot is relying on servers that host 16,500 websites of universities, local governments, adult content platforms, and personal blogs. Parrot's use is for malicious campaigns to redirect potential victims matching a specific profile (location, language, operating system, browser) to online resources such as phishing and malware-dropping sites. [Threat actors running malicious campaigns buy TDS services to filter incoming traffic and](https://www.bleepingcomputer.com/news/security/tds-systems-are-the-next-big-money-makers-in-the-land-of-cybercrime/) send it to a final destination serving malicious content. TDS are also legitimately used by advertisers and marketers, and some of these services [were exploited in the past to facilitate malspam campaigns.](https://www.bleepingcomputer.com/news/security/legitimate-tds-platform-abused-to-push-malware-via-exploit-kits/) ## Used for RAT distribution Parrot TDS was discovered by threat analysts at Avast, who report that it’s currently used for a campaign called FakeUpdate, which delivers remote access trojans (RATs) via fake browser update notices. ----- **Site displaying the fake browser update warning** _(Avast)_ The campaign appears to have started in February 2022 but signs of Parrot activity have been traced as far back as October 2021. “One of the main things that distinguishes Parrot TDS from other TDS is how widespread it is [and how many potential victims it has,” comments Avast in the report](https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/) “The compromised websites we found appear to have nothing in common apart from servers hosting poorly secured CMS sites, like WordPress sites.” ----- **Malicious** **JavaScript code seen in compromised sites** _(Avast)_ Threat actors have planted a malicious web shell on compromised servers and copied it to various locations under similar names that follow a “parroting” pattern. Moreover, the adversaries use a PHP backdoor script that extracts client information and forwards requests to the Parrot TDS command and control (C2) server. In some cases, the operators use a shortcut without the PHP script, sending the request directly to the Parrot infrastructure. ----- **Parrot's direct and proxied forwarding** _(Avast)_ Avast says that in March 2022 alone its services protected more than 600,000 of its clients from visiting these infected sites, indicating the massive scale of the Parrot redirection gateway. Most of the users targeted by these malicious redirections were in Brazil, India, the United States, Singapore, and Indonesia. ----- **Parrot's redirection attempts heatmap** _(Avast)_ As Avast details in the report, the particular campaign’s user profile and filtering are so finetuned that the malicious actors can target a specific person from thousands of redirected users. This is achieved by sending that target to unique payload-dropping URLs based on extensive hardware, software, and network profiling. The payload dropped on the targets' systems is the NetSupport Client RAT set to run in silent mode, which provides direct access to the compromised machines. ----- **The details of the dropped** **payload** _(Avast)_ ## Phishing Microsoft credentials While the RAT campaign is currently the main operation served by the Parrot TDS, Avast analysts have also noticed several infected servers hosting phishing sites. Those landing pages resemble a legitimate-looking Microsoft login page asking visitors to enter their account credentials. ----- **One of the phishing sites served by the Parrot TDS** _(Avast)_ For users who browse the web, having an up-to-date internet security solution running at all times is the best way to deal with malicious redirections. For admins of potentially compromised web servers, Avast recommends the following actions: Scan all files on the webserver with an antivirus. Replace all JavaScript and PHP files on the webserver with original ones. Use the latest CMS version and plugins versions. Check for automatically running tasks on the web server like cron jobs. Always use unique and strong credentials for every service and all accounts, and add 2FA where possible. Use some of the available security plugins for WordPress and Joomla ### Related Articles: [Hackers target Russian govt with fake Windows updates pushing RATs](https://www.bleepingcomputer.com/news/security/hackers-target-russian-govt-with-fake-windows-updates-pushing-rats/) [Iranian hackers exposed in a highly targeted espionage campaign](https://www.bleepingcomputer.com/news/security/iranian-hackers-exposed-in-a-highly-targeted-espionage-campaign/) [Bitter cyberspies target South Asian govts with new malware](https://www.bleepingcomputer.com/news/security/bitter-cyberspies-target-south-asian-govts-with-new-malware/) [Hackers display “blood is on your hands" on Russian TV, take down RuTube](https://www.bleepingcomputer.com/news/security/hackers-display-blood-is-on-your-hands-on-russian-tv-take-down-rutube/) [Chinese cyber-espionage group Moshen Dragon targets Asian telcos](https://www.bleepingcomputer.com/news/security/chinese-cyber-espionage-group-moshen-dragon-targets-asian-telcos/) [Bill Toulas](https://www.bleepingcomputer.com/author/bill-toulas/) Bill Toulas is a technology writer and infosec news reporter with over a decade of experience working on various online publications. An open source advocate and Linux enthusiast, is currently finding pleasure in following hacks, malware campaigns, and data breach incidents, as well as by exploring the intricate ways through which tech is swiftly transforming our lives. -----