1

Warning to all NextDNS Users Parrot TDS is not blocked.

Parrot TDS takes over web servers and threatens millions - Avast Threat Labs

A new Traffic Direction System (TDS) we are calling Parrot TDS, using tens of thousands of compromised websites, has emerged in recent months and is reaching users from around the world. The TDS has infected various web servers hosting more than 16,500 websites, ranging from adult content sites, personal websites, university sites, and local government sites.

Parrot TDS acts as a gateway for further malicious campaigns to reach potential victims. In this particular case, the infected sites’ appearances are altered by a campaign called FakeUpdate (also known as SocGholish), which uses JavaScript to display fake notices for users to update their browser, offering an update file for download. The file observed being delivered to victims is a remote access tool.

 

C&C Servers
clickstat360[.]com
statclick[.]net
staticvisit[.]net
webcachespace[.]net
syncadv[.]com
webcachestorage[.]com

FakeUpdate

SHA256 Description
0046fad95da901f398f800ece8af479573a08ebf8db9529851172ead01648faa FakeUpdate JavaScript
15afd9eb66450b440d154e98ed82971f1b968323ff11b839b046ae4bec60f855 FakeUpdate appearance JavaScript
C&C Servers    
parmsplace[.]com ahrealestatepr[.]com expresswayautopr[.]com
xomosagency[.]com codigodebarra[.]co craigconnors[.]com
lawrencetravelco[.]com maxxcorp[.]net 2ctmedia[.]com
accountablitypartner[.]com walmyrivera[.]com youbyashboutique[.]com
weightlossihp[.]com codingbit[.]co[.]in fishslayerjigco[.]com
avanzatechnicalsolutions[.]com srkpc[.]com wholesalerandy[.]com
mattingsolutions[.]co integrativehealthpartners[.]com wwpcrisis[.]com
lilscrambler[.]com markbrey[.]com nuwealthmedia[.]com
pocketstay[.]com fioressence[.]com drpease[.]com
refinedwebs[.]com spillpalletonline[.]com altcoinfan[.]com
windsorbongvape[.]com hill-family[.]us 109.234.35[.]249
141.136.35[.]157 91.219.236[.]192* 91.219.236[.]202*

* Delivering the final payload

NetSupport RAT

SHA256 Filename
b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad %AppData%/Roaming/xxx/ctfmon.exe**
8ad9c598c1fde52dd2bfced5f953ca0d013b0c65feb5ded73585cfc420c95a95 %AppData%/Roaming/xxx/remcmdstub.exe**
4fffa055d56e48fa0c469a54e2ebd857f23eca73a9928805b6a29a9483dffc21 %AppData%/Roaming/xxx/client32.ini**

**xxx stands for the random string name

C&C
194.180.158[.]173
87.120.8[.]141
15.76.172[.]110
45.76.172[.]113
5.180.136[.]119
94.158.247[.]84
94.158.245[.]113
94.158.247[.]100
154.38.242[.]14
199.247.3[.]55

 

Please block all these domains. 

 

Thank you

6replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • probably the most is already blocked with OISD blocklist

    Like 1
    • No not in that list yet. juliank 

      I have not found any of these domains in any list. 

      Like
      • juliank
      • juliank
      • 2 mths ago
      • Reported - view

      John DeCarlo statclick[.]net is blocked by oisd

      Like
      • juliank
      • juliank
      • 2 mths ago
      • 1
      • Reported - view

      John DeCarlo another one also blocked by OISD and the TIF 

      Like 1
  • @John Decarlo, thanks for posting this, but please edit the link in your original post to remove the tracker in the link.   Here's the link without the tracker.  https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions

    Like 1
  • Blocked by 1Hosts (Pro).

    Like
Like1 Follow
  • 1 Likes
  • 2 mths agoLast active
  • 6Replies
  • 213Views
  • 4 Following