Websites with Parrot TDS have malicious scripts injected into existing JavaScript code hosted on the server.
To help the reader better understand Parrot TDS, this article provides in-depth analysis of the landing scripts and payload scripts we have collected from this campaign.
Our investigation revealed that this website served pages with injected JavaScript identified as Parrot TDS. Further research uncovered many variations of Parrot TDS script from various servers worldwide.
Before reviewing all variations of this script, we should better understand the basic nature of Parrot TDS. Parrot TDS Overview.
The Parrot TDS payload script can direct the victim's browser to a malicious webpage or other potentially harmful content.
We analyzed more than 10,000 Parrot TDS landing scripts from internal and external data sources.
These samples reveal four versions of Parrot TDS landing script that represent approximately 95.8% of the collected data as indicated in Figure 2 below.
The four versions of Parrot TDS landing script from 95.8% of our samples use either the keyword ndsw or ndsj, while the other 4.2% use the keyword ndsj.
Most Parrot TDS landing scripts from earlier in the campaign were injected as a single line of code, often appended at the end of JavaScript files served from the compromised website.
Parrot TDS landing script V3 hosts a long array of strings.
Parrot TDS landing script samples using an ndsj keyword are much rarer than ndsw in our collected data.
While earlier samples of the injected landing script consist of a single line of JavaScript code, we observed an increasing number of Parrot TDS samples with multiple lines of injected JavaScript code since August 2022.
Parrot TDS landing scripts profile the victim's web browser, and if all conditions are successfully met, they direct the victim's browser to retrieve a payload script.
Parrot TDS payload scripts use an ndsx keyword, making them relatively easy to identify.
Compared to the landing scripts, we found fewer unique samples of Parrot TDS payload scripts.
We have classified these into nine versions, compared to the four major versions of Parrot TDS landing scripts.
Figure 12 shows a column chart revealing the Parrot TDS payload script distribution.
V1 is the simplest version of the Parrot TDS payload script, and it merely sets a cookie that expires after one year as shown below in Figure 13.
A Parrot TDS landing script will only query the payload server if the victim's browser has no cookie set by a previous payload script.
This payload script is the most common version we see for Parrot TDS. Around 70% of our collected payload samples are V2. Parrot TDS payload script V3 contains obfuscation and only targets victims running Microsoft Windows.
This Cyber News was published on unit42.paloaltonetworks.com. Publication date: Fri, 19 Jan 2024 20:43:05 +0000