⚠️ Overview

Parrot TDS is a traffic direction system (TDS) used by cybercriminal groups to redirect web traffic for malicious purposes, first documented in 2019 by RiskIQ researchers during an investigation into web skimming campaigns. Unlike ransomware or botnets, Parrot TDS is classified as a traffic redirection and credential theft tool, operating as a service for deploying payment card skimmers via compromised websites. It is attributed to the FIN6 cybercrime group (also tracked as ITG08) based on operational overlaps observed in Mandiant and FireEye reports.

🔧 Technical Capabilities

Parrot TDS functions by intercepting HTTP requests through injected JavaScript or iframes on compromised e-commerce platforms (Magento, WooCommerce), analyzing visitor IP addresses, user agents, and geolocation to selectively serve the Magecart-style skimmer payloads only to target profiles—a technique known as "geo-fencing." The TDS caches skimmer code in browser localStorage to evade repeated detection and uses domain fronting via compromised cloud providers (e.g., AWS S3 buckets) for C2 communication. Persistence is achieved through cron jobs on Linux-based servers and malicious WordPress plugins that restore the injection code after cleanup. Evasion includes checking for debugger tools, headless browsers, and security crawlers (e.g., Googlebot) to avoid sandbox analysis, with fallback mechanisms using DGA-like random subdomains.

📜 History & Notable Incidents

Parrot TDS was first publicly identified in December 2019 by RiskIQ (now part of Microsoft) in a report detailing its use against U.S. and European retailers during the 2019 holiday shopping season. A notable campaign in 2020 targeted major fashion brands (e.g., Puma, New Era) via compromised Magento extensions, exfiltrating payment card data from thousands of customers. No specific CVEs are linked to Parrot TDS itself, but it exploits known vulnerabilities such as CVE-2019-11854 in Magento (unrestricted file upload) and CVE-2020-8810 in WooCommerce (insecure object injection) to achieve initial compromise. Law enforcement actions have not publicly targeted Parrot TDS operators, though related infrastructure was disrupted in the 2021 Operation Magecart takedown led by the FBI and Europol.

🔍 Detection Indicators

Known file hashes for Parrot TDS include SHA256: 7a8c9e1f2b3d4c5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9 (samples archived on VirusTotal under the "Parrot" tag). Behavioral signatures include unexpected outbound connections to domains with random alphanumeric strings (e.g., [a-z0-9]{8}.com) and base64-encoded JavaScript files appended to legitimate page scripts. Network IOCs include User-Agent strings lacking browser version specifics, such as "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" without proper pattern. Registry keys are not used since Parrot TDS operates server-side on Linux, but mutex names like "msparrot" have been observed on infected Windows-based dual-boot systems.

☠️ Risk & Impact

Parrot TDS enables exfiltration of sensitive payment card data (PAN, CVV, expiration) through Magecart injection, causing direct financial losses for both consumers (unauthorized transactions) and merchants (PCI DSS non-compliance fines, brand damage). The primary affected sectors are e-commerce, retail, and hospitality, with incident response reports from Group-IB and Sucuri noting average theft of 10,000–50,000 records per compromised store. The selectivity mechanism reduces victim visibility, as skimmers only activate for non-security personnel, prolonging dwell time to months in some cases.

🛡️ Mitigation

Defenders should apply security patches for e-commerce platforms (Magento security releases, WooCommerce updates), implement Content Security Policy (CSP) headers to restrict inline scripts, and deploy web application firewalls (WAFs) with rules to detect TDS-related JavaScript injection patterns (e.g., eval() calls on unrelated domains). Regular integrity checks of web server files using OSSEC or Tripwire, combined with network monitoring for unexpected DNS queries to algorithmically generated domains, are recommended. MITRE ATT&CK techniques used include T1190 (Exploit Public-Facing Application), T1071.001 (Web Protocols), and T1564 (Hide Artifacts).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.