Warning to all NextDNS Users Parrot TDS is not blocked.
Parrot TDS takes over web servers and threatens millions - Avast Threat Labs
A new Traffic Direction System (TDS) we are calling Parrot TDS, using tens of thousands of compromised websites, has emerged in recent months and is reaching users from around the world. The TDS has infected various web servers hosting more than 16,500 websites, ranging from adult content sites, personal websites, university sites, and local government sites.
Parrot TDS acts as a gateway for further malicious campaigns to reach potential victims. In this particular case, the infected sites’ appearances are altered by a campaign called FakeUpdate (also known as SocGholish), which uses JavaScript to display fake notices for users to update their browser, offering an update file for download. The file observed being delivered to victims is a remote access tool.
| C&C Servers |
| clickstat360[.]com |
| statclick[.]net |
| staticvisit[.]net |
| webcachespace[.]net |
| syncadv[.]com |
| webcachestorage[.]com |
FakeUpdate
| SHA256 | Description |
| 0046fad95da901f398f800ece8af479573a08ebf8db9529851172ead01648faa | FakeUpdate JavaScript |
| 15afd9eb66450b440d154e98ed82971f1b968323ff11b839b046ae4bec60f855 | FakeUpdate appearance JavaScript |
| C&C Servers | ||
| parmsplace[.]com | ahrealestatepr[.]com | expresswayautopr[.]com |
| xomosagency[.]com | codigodebarra[.]co | craigconnors[.]com |
| lawrencetravelco[.]com | maxxcorp[.]net | 2ctmedia[.]com |
| accountablitypartner[.]com | walmyrivera[.]com | youbyashboutique[.]com |
| weightlossihp[.]com | codingbit[.]co[.]in | fishslayerjigco[.]com |
| avanzatechnicalsolutions[.]com | srkpc[.]com | wholesalerandy[.]com |
| mattingsolutions[.]co | integrativehealthpartners[.]com | wwpcrisis[.]com |
| lilscrambler[.]com | markbrey[.]com | nuwealthmedia[.]com |
| pocketstay[.]com | fioressence[.]com | drpease[.]com |
| refinedwebs[.]com | spillpalletonline[.]com | altcoinfan[.]com |
| windsorbongvape[.]com | hill-family[.]us | 109.234.35[.]249 |
| 141.136.35[.]157 | 91.219.236[.]192* |
91.219.236[.]202* |
* Delivering the final payload
NetSupport RAT
| SHA256 | Filename |
| b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad | %AppData%/Roaming/xxx/ctfmon.exe** |
| 8ad9c598c1fde52dd2bfced5f953ca0d013b0c65feb5ded73585cfc420c95a95 | %AppData%/Roaming/xxx/remcmdstub.exe** |
| 4fffa055d56e48fa0c469a54e2ebd857f23eca73a9928805b6a29a9483dffc21 | %AppData%/Roaming/xxx/client32.ini** |
**xxx stands for the random string name
| C&C |
| 194.180.158[.]173 |
| 87.120.8[.]141 |
| 15.76.172[.]110 |
| 45.76.172[.]113 |
| 5.180.136[.]119 |
| 94.158.247[.]84 |
| 94.158.245[.]113 |
| 94.158.247[.]100 |
| 154.38.242[.]14 |
| 199.247.3[.]55 |
Please block all these domains.
Thank you
2 replies
-
@John Decarlo, thanks for posting this, but please edit the link in your original post to remove the tracker in the link. Here's the link without the tracker. https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions
-
Blocked by 1Hosts (Pro).
Content aside
-
1
Likes
- 2 yrs agoLast active
- 2Replies
- 258Views
-
3
Following