Threat actors have been leveraging the new traffic direction system dubbed Parrot, which depends on servers hosting 16,500 websites, in the FakeUpdate campaign that uses fake browser update notices to distribute remote access trojans
, reports BleepingComputer.
While the FakeUpdate campaign has only begun in February, Parrot activity may have started since last October, an Avast report revealed. "One of the main things that distinguishes Parrot TDS from other TDS is how widespread it is and how many potential victims it has. The compromised websites we found appear to have nothing in common apart from servers hosting poorly secured CMS sites, like WordPress sites," said Avast. Attackers have been observed to deploy the NetSupport Client RAT on targeted systems, while many servers compromised by the Parrot TDS have also been hosting sites for Microsoft credential phishing. Over 600,000 Avast clients have been protected against the campaign last month alone, with Brazil, India, the US, Singapore, and Indonesia accounting for the most number of users targeted by the malicious Parrot redirections, according to Avast.