Hacked websites are being put at even greater risk by malicious web redirect scripts

Representational image of internet connections against a cityscape.
Vad är Wifi 7? (Image credit: Shutterstock / metamorworks)

Parrot traffic direction system (TDS), a malicious script that redirects website visitors to dangerous destinations, was observed evolving and becoming harder to detect.

Cybersecurity researchers Unit 42, from Palo Alto Networks, recently analyzed 10,000 Parrot landing page scripts, gathered between August 2019 and October 2023. 

They concluded the majority of the scripts (75%) were new, representing the fourth iteration of the code. Another 18% were of the previous version, while the remaining 7% were running older scripts.

Different payloads for different victims

Compared to the older versions, the fourth iteration comes with a number of enhancements, including improved obfuscation with complex code structure and encoding mechanisms. Furthermore, the fourth version has different array indexing and handling that disrupts pattern recognition and signature-based detection, and comes with a variation in the handling of strings and numbers. 

As for its efficiency and productivity, Parrot TDS remains as useful as ever. It profiles the victim’s environment and, depending on the conditions found, drops different payloads. Unit 42 found a total of nine different payloads who, among themselves, don’t differ that greatly. There are “minor obfuscation changes” and target OS checks. 

In most cases (70%), Parrot will drop the second version of the payload with doesn’t come with any obfuscation.

To remain secure, website owners should search their servers for suspicious php files. They should also scan the ndsj, ndsw, and ndsx keywords, and use firewalls to block webshell traffic. Finally, they should deploy URL filtering tools to block traffic coming from known malicious URLs and IP addresses. 

Parrot TDS was first discovered in April 2022, by cybersecurity researchers from Avast. It was then said that the script was probably active since 2019, managing to infect more than 16,500 websites.

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Cisco, ASUS, QNAP, and Synology devices hijacked to major botnet
A close-up of an interent search bar with 'http://ww' visible
Major website hijacking scam sees over 35,000 sites attacked, redirected to gambling sites, so be on your guard
Wordpress brand logo on computer screen. Man typing on the keyboard.
Thousands of WordPress sites targeted with malicious plugin backdoor attacks
Ransomware
Researchers hijack thousands of backdoors thanks to expired domains
Mustang Panda
Chinese hackers abuse Microsoft tool to get past antivirus and cause havoc
Trojan
Hackers hide malware into website images to go unnoticed
Latest in Security
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
A worrying Apple Password App vulnerability reportedlyleft users exposed for months
DeepSeek
Fake DeepSeek installers are infecting your device with dangerous malware
AI tools.
Not even fairy tales are safe - researchers weaponise bedtime stories to jailbreak AI chatbots and create malware
Data leak
Top California sperm bank suffers embarrassing leak
An Android phone being held in the hand
These malicious Android apps were installed over 60 million times - here's how to stay safe
ransomware avast
Billions of credentials were stolen from businesses around the world in 2024
Latest in News
Stability AI 3D Video
Stability AI’s new virtual camera turns any image into a cool 3D video and I’m blown away by how good it is
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
A worrying Apple Password App vulnerability reportedlyleft users exposed for months
Google Pixel 9a
Google is delaying the Pixel 9a to fix a mystery “component quality issue”
The bottom left corner of an Android phone, showing the Phone, Messages, Google icons and Google Search bar
Google Messages remote delete will soon save you from texting embarrassment – and here's how it works
ExpressVPN mobile app and Aircove
ExpressVPN ‘reduces workforce’ for the second time in two years
The Nanoleaf PC Screen Mirror Lightstrip being used on a desktop computer.
Mac gaming could get an intriguing boost – but not in the way you'd expect