The Parrot landing scripts, responsible for user profiling and initiating redirections, have progressed through four distinct versions, showcasing a refined use of obfuscation techniques. The latest version introduces enhancements like complex code structures, varied array indexing, and handling, disrupting pattern recognition and signature-based detection. Despite the increased layers of obfuscation, the core functionality of the landing script remains consistent, serving its primary purpose of victim environment profiling and payload script retrieval.
In the evolving attack chain, the payload scripts, responsible for user redirection, exhibit nine variants, with the threat actors favoring version 2 in 70% of observed cases. Versions 4-5 introduced obfuscation layers, further intricate in versions 6 through 9. Although these later versions are less prevalent in compromised sites, Parrot TDS remains an active and evolving threat, emphasizing the need for website owners to employ security measures such as server checks, keyword scans, firewalls, and URL filtering tools.