Securi researchers are reporting that The Parrot traffic direction system (TDS) that came to light earlier this year on more than 16,500 infected sites has had a larger impact than previously thought.
Sucuri, has been tracking the campaign since February 2019 under the name “NDSW/NDSX,” and reports that “Last year, more than 61,000 websites scanned by SiteCheck contained the malicious ‘ndsw’ JavaScript.”
“The malware consists of several layers: the first of which prominently features the ndsw variable within JavaScript injections, the second of which leverages the ndsx variable in the payload. Our research findings show that attackers regularly change the obfuscation of their JavaScript injections while keeping this recognizable ndsw/ndsx pattern.”
“Since attackers usually inject this malware into every JavaScript file that they can find, a significant number of files are often impacted during infection. Our team removed this malware from almost 20 million .js files found on compromised sites during 2021 alone. The PHP part of this malware (what Avast calls a “proxied version”) was removed over 5,400 times by our remediation tools at an average rate of 1 or 2 files per infected website.
“At the time of writing, this “ndsw” campaign is still active. During the first 5 months of 2022, SiteCheck has detected more than 11,000 infected websites — and we’ve already cleaned over 2,900 PHP and 1.64 million JavaScript files related to this malware campaign this year.”
Good reminder of just how much our enterprises are being constantly scanned and the level of nefarious traffic. It was sited that that bot traffic may be over50% of the internet. The bots are scanning our systems and looking for vulnerabilities and an ability to stay persistent. Once they have a hold – the bots can inject their malware for ransomware, lateral movement, and data exfiltration. Enterprises have to assume their sites are being attacked and practice diligent identity governance to insure that their accounts are not being manipulated. And now that so many enterprises are managed by 3rd party MSSPs, they have to inquire and demand what mechanism are being use to watch their identities.