A new malicious traffic management system (TDS), Parrot TDS, was discovered that has infected several web servers hosting more than 16,500 sites. Affected websites include adult content pages, personal, university and government sites.
Its appearance is modified to display a phishing page that claims that the user needs to update their browser.
When a user runs the browser update file that is offered, a Remote Access Tool (RAT) is downloaded, which gives attackers full access to victims' computers.
“Traffic management systems serve as a gateway for the delivery of various malicious campaigns across infected sites,” said Jan Rubin, a malware researcher at Avast, who identified this problem. “At this time, a malicious campaign called FakeUpdate (also known as SOCgholish) is being distributed through Parrot TDS, but other malicious activities could be carried out in the future through TDS.”
Researchers Jan Rubin and Pavel Novak believe that the attackers are exploiting the web servers of insecure content management systems, such as WordPress and Joomla sites.
Criminals kick in the moment you log into accounts with weak credentials to gain administrator access to servers.
“The only thing that sites have in common is that they are WordPress and, in some cases, Joomla sites. Therefore, we suspect that they take advantage of weak login credentials to infect sites with malicious code,” said Pavel Novak, ThreatOps analyst at Avast. He added: “The robustness of Parrot TDS and its great reach make it unique.”
Parrot TDS allows attackers to set parameters to only display phishing pages to potential victims who meet certain conditions, taking into account the user's browser type, cookies and the website they come from.
What is the FakeUpdate campaign about
The malicious FakeUpdate campaign uses JavaScript to change the appearance of the site and display phishing messages claiming that the user needs to update their browser.
Like Parrot TDS, FakeUpdate also performs a preliminary scan to collect information about the site visitor before displaying the phishing message. This is an act of defense to determine whether or not to display the phishing message, among other things.
The scan verifies which antivirus product is on the device. The file offered as an update is actually a remote access tool called NetSupport Manager.
The cybercriminals behind the campaign have configured the tool in such a way that the user has very little chance of noticing it. If the victim runs the file, the attackers gain full access to their computer and can change the payload delivered to the victims at any time.
In addition to the FakeUpdate campaign, the researchers looked at other phishing sites hosted on the infected Parrot TDS sites, although they cannot conclusively link them to that traffic management system.
How can users avoid becoming victims of phishing:
1. If the site being visited looks different than expected, visitors should leave the page and not download any files or enter any information.
2. Also, updates must be downloaded directly from the browser settings, never through other channels.
How developers can protect servers:
1. Replace all JavaScript and PHP files on the web server with original files.
2. Use the latest version of the content management system or CMS.
3. Use the latest versions of installed add-ons.
4. Check if there are tasks running automatically on the web server.
5. Verify and configure secure credentials and use unique credentials for each service.
6. Check administrator accounts on the server, ensuring that each account belongs to developers and has strong passwords.
7. When applicable, configure the second authentication factor for all web server administrator accounts.
8. Use available security add-ons.
9. Scan all files on the web server with an antivirus program.
KEEP READING: