Press releases

Avast Discovers Traffic Direction System Attempting to Deliver Malware to More Than 600,000 Users

More than 16,500 websites infected with Traffic Direction System “Parrot” designed to deliver malicious campaigns

More than 16,500 websites infected with Traffic Direction System “Parrot” designed to deliver malicious campaigns


Prague, Czech Republic, April 7, 2022 — Threat researchers at Avast (LSE:AVST), a global leader in digital security and privacy, discovered a new malicious Traffic Direction System (TDS), Parrot TDS, which has infected various web servers hosting more than 16,500 websites. The affected websites range from adult content sites, personal websites, university sites, to local government sites, and their appearances are altered to show a phishing page claiming the user needs to update their browser. When a user runs the browser update file offered, a Remote Access Tool (RAT) is downloaded, giving attackers full access to victims’ computers.

“Traffic Direction Systems serve as a gateway for the delivery of various malicious campaigns via the infected sites,” said Jan Rubin, malware researcher at Avast. “At the moment, a malicious campaign called ‘FakeUpdate’ (also known as SocGholish) is being distributed via Parrot TDS, but other malicious activity could be performed in the future via the TDS." 

Weak Credentials give Parrot TDS wide reach

The Avast researchers Jan Rubin and Pavel Novak believe attackers are exploiting web servers of poorly secured content management systems, like WordPress and Joomla sites, by logging into accounts with weak credentials to gain admin access to the servers. 

“The only thing the sites have in common is that they are WordPress and in some cases Joomla sites. We, therefore, suspect weak login credentials were taken advantage of to infect the sites with malicious code,” said Pavel Novak, ThreatOps Analyst at Avast. “The robustness of Parrot TDS and its huge reach makes it unique.”

Parrot TDS allows attackers to set parameters to only display phishing pages to potential victims who meet certain conditions, which look at users’ browser type, cookies, and which website they came from. These parameters are set so that each user is only shown a phishing page once, to prevent Parrot TDS’ servers from overloading. 

From March 1, 2022 - March 29, 2022, Avast protected more than 600,000 unique users from around the globe visiting sites infected with Parrot TDS. In this timeframe, Avast protected the most users in: Brazil, more than 73,000 unique users; India, nearly 55,000 unique users; and more than 31,000 unique users from the US. 

FakeUpdate Campaign
The malicious FakeUpdate campaign uses JavaScript to change site appearances to display phishing messages claiming the user needs to update their browser. Like Parrot TDS, FakeUpdate also performs a preliminary scan to collect information about the site visitor before displaying the phishing message. This is an act of defense to determine whether or not to display the phishing message, among other things, the scan checks which antivirus product is on the device. The file being offered as an update file is really a remote access tool called NetSupport Manager. The bad actors behind the campaign have configured the tool in such a way that the user has very little chance of noticing it. If the file is run by the victim, the attackers gain full access to their computer. The cybercriminals behind the FakeUpdate campaign can change the payload delivered to victims at any time.

In addition to the FakeUpdate campaign, the Avast researchers observed other phishing sites being hosted on the Parrot TDS infected sites, but cannot conclusively tie these to Parrot TDS. 

How developers can protect their servers 

  • Scan all files on the web server with an antivirus program, like Avast Antivirus
  • Replace all JavaScript and PHP files on the web server with original files
  • Use the latest CMS version
  • Use the latest versions of installed plugins
  • Check for automatically running tasks on the web server (for example, cron jobs)
  • Check and set up secure credentials, and use unique credentials for every service
  • Check administrator accounts on the server, making sure each of them belongs to developers and have strong passwords
  • When applicable, set up 2FA for all the web server admin accounts
  • Use available security plugins (WordPress, Joomla)

How site visitors can avoid falling victim to phishing

  • If the site being visited appears different than expected, site visitors should leave the site and not download any files or enter any information 
  • Only download updates directly from browser settings, never via any other channels

The full analysis can be found on the Decoded blog: https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/