Security researchers have identified an alarming evolution in the tactics employed by the Parrot traffic direction system (TDS) through the analysis of over 10,000 scripts. Initially discovered by Avast in 2022, Parrot TDS has been actively targeting vulnerable WordPress and Joomla sites, redirecting users to malicious destinations. Palo Alto Networks’ Unit 42 reports that the operators behind Parrot TDS are continuously optimizing their JavaScript injections to make them more elusive against security mechanisms.
The Parrot landing scripts, responsible for user profiling and initiating redirections, have progressed through four distinct versions, showcasing a refined use of obfuscation techniques. The latest version introduces enhancements like complex code structures, varied array indexing, and handling, disrupting pattern recognition and signature-based detection. Despite the increased layers of obfuscation, the core functionality of the landing script remains consistent, serving its primary purpose of victim environment profiling and payload script retrieval.
In the evolving attack chain, the payload scripts, responsible for user redirection, exhibit nine variants, with the threat actors favoring version 2 in 70% of observed cases. Versions 4-5 introduced obfuscation layers, further intricate in versions 6 through 9. Although these later versions are less prevalent in compromised sites, Parrot TDS remains an active and evolving threat, emphasizing the need for website owners to employ security measures such as server checks, keyword scans, firewalls, and URL filtering tools.
