Last month, Avast Threat Labs reported on the newly discovered Parrot Traffic Direction System (TDS), which was found to have compromised tens of thousands of websites.
As the name suggests, traffic direction systems are leveraged as Internet landing pages by cybercriminals to filter users according to various criteria to determine whether they are desired targets for malware distribution.
Unlike previous malicious DTS such as Prometheus, Parrot has much greater reach. Based on analysis and investigation conducted by Avast, Parrot TDS is believed to have been in operation since October 2021, with heightened levels of activity observed in February and March 2022. Targeted users are spread across the world; the Avast report reveals most targeted users were in Brazil, India, the U.S, Singapore, Indonesia, Thailand, the Philippines, Argentina, Mexico, France, Pakistan, and Russia.
Chain of Infection
Example of fake software update page
The RAT is commonly downloaded to the "AppData\Roaming" folder and masquerades as ctfmon.exe, the same name as a common, legitimate Microsoft process, and thus could easily go unnoticed. The RAT runs automatically after the client machine is switched on, and with chat functions disabled and the silent option turned on, it can operate stealthily in the background and be difficult to detect.
NetSupport RAT disguised as ctfmon.exe
Indicators of Compromise (IoC) & Sangfor Protection
Avast Threat Labs provides in its report a list of IoCs for Parrot TDS, FakeUpdate, and NetSupport RAT.
Sangfor NGAF (Next-Generation Firewall) and Endpoint Secure (endpoint protection) using threat intelligence from Sangfor Neural-X are proven to detect, alert, and kill the malicious activity in each step of the attack kill chain, keeping users safe from intrusion. The following are examples of Sangfor Neural-X’s detection of key Parrot TDS IoCs (Screenshots taken from Sangfor Neural-X Threat Intelligence Platform).
Sangfor Neural-X detects SHA256 of NetSupport RAT
Sangfor suggests the following recommendations for developers to prevent servers from being compromised.
- Scan all files on the web server with antivirus. Sangfor recommends using Endpoint Secure for the least amount of impact to a system when scanning.
- Use the latest CMS version.
- Use the latest versions of installed plugins.
- Check for automatically running tasks on the web server (for example, cron jobs).
- Check and set up secure credentials. Make sure to always use unique credentials for every service.
- Check the administrator accounts on the server. Make sure each of them belongs to you and have strong passwords.
- When applicable, set up 2FA for all the web server admin accounts.
- Use some of the available security plugins (WordPress, Joomla).
About Sangfor Technologies
Sangfor Technologies is an APAC-based, global leading vendor of Cyber Security, Cloud Computing, and Network Infrastructure solutions. To find out more about Sangfor’s full range of offerings, please visit us at www.sangfor.com, and let Sangfor make your digital transformation simpler and secure.