The new traffic distribution System (Traffic Direction System, TDS) called Parrot relies on servers hosting 16.5 thousand websites of universities, local authorities, adult platforms and personal blogs. Parrot is used to conduct malicious campaigns, during which criminals redirect potential victims to phishing sites and resources with malware.
Attackers buy TDS services to filter incoming traffic and send it to the final destination serving malicious content. TDS is also legitimately used by advertisers and marketers, and some of these services have been used in the past to conduct malicious spam campaigns.
Parrot TDS was discovered by analysts from Avast and is currently being used for a campaign called FakeUpdate, which distributes the NetSupport Remote Access Trojan (RAT) through fake browser update notifications.
The campaign supposedly began in February 2022, but signs of Parrot activity can be traced back to October 2021. The attackers installed a malicious web shell on compromised servers and copied it to various places under the same names.
In addition, the attackers use a PHP backdoor script that steals information about the client and redirects requests to the Parrot TDS command server.
Most of the affected users were in Brazil, India, the USA, Singapore and Indonesia. According to experts, the user profile and filtering of a specific campaign are so precisely configured that attackers can attack a specific person from thousands of redirected users.