Securi researchers are reporting that The Parrot traffic direction system (TDS) that came to light earlier this year on more than 16,500 infected sites has had a larger impact than previously thought.
Sucuri, has been tracking the campaign since February 2019 under the name “NDSW/NDSX,” and reports that “Last year, more than 61,000 websites scanned by SiteCheck contained the malicious ‘ndsw’ JavaScript.”
“The malware consists of several layers: the first of which prominently features the ndsw variable within JavaScript injections, the second of which leverages the ndsx variable in the payload. Our research findings show that attackers regularly change the obfuscation of their JavaScript injections while keeping this recognizable ndsw/ndsx pattern.”
“Since attackers usually inject this malware into every JavaScript file that they can find, a significant number of files are often impacted during infection. Our team removed this malware from almost 20 million .js files found on compromised sites during 2021 alone. The PHP part of this malware (what Avast calls a “proxied version”) was removed over 5,400 times by our remediation tools at an average rate of 1 or 2 files per infected website.
“At the time of writing, this “ndsw” campaign is still active. During the first 5 months of 2022, SiteCheck has detected more than 11,000 infected websites — and we’ve already cleaned over 2,900 PHP and 1.64 million JavaScript files related to this malware campaign this year.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.