New Version of Ducktail Malware Attacks Facebook Business Accounts
According to the most recent findings from Zscaler, a PHP version of the information-stealing malware called Ducktail has been discovered in the wild and distributed as cracked installers for legitimate apps and games.
“Like earlier versions (.NetCore), the most recent version (PHP) also aims to exfiltrate sensitive information related to saved browser credentials, Facebook account information, and so forth,” Tarun Dewan and Stuti Chaturvedi, researchers at Zscaler ThreatLabz, said.
The malware known as Ducktail, which first made its way onto the threat landscape toward the end of 2021 and is believed to have been developed by an unidentified threat actor from Vietnam, primarily targets Facebook advertising and business accounts.
How does the Ducktail Malware Work
The attack on an account is carried out through the browser of a victim by means of a malware program that is distributed under the guise of documents regarding brands, products, and project planning. The attackers begin by compiling a list of businesses with Facebook business pages. They then look for employees who work for those businesses and have job titles that could allow them access to those business pages on LinkedIn and other sources. Digital media, managerial, and human resource positions are among these.
Sending them a link to an archive containing malware disguised as a.pdf and images and videos that appear to be part of the same project is the final step. Project “development plan,” “project information,” “products,” and “new project L’Oréal budget business plan” are among the file names that the researchers were able to observe. The inclusion of country names in some of the files suggests that the attackers customized them based on their reconnaissance for each victim and country.
It is believed that the DUCKTAIL group has been conducting this campaign since the second half of 2021. The identified victims were scattered throughout the The attackers reworked a portion of their toolset after WithSecure exposed their operation in August of this year.
The finnish network security company WithSecure (previously F-Secure) was the first to report the financially motivated cybercriminal activity toward the end of July 2022.
New PHP Version of Ducktail Malware
The PHP version that was discovered in August 2022 connects to a newly hosted website to store the data in JSON format, whereas previous versions of the malware used Telegram as a command-and-control (C2) channel to exfiltrate information.
Assault chains saw by Zscaler involve implanting the malware in Compress chronicle records facilitated on document sharing administrations like mediafire[.]com, taking on the appearance of broken forms of Microsoft Office, games, and pornography related records.
After the installer is run, a PHP script that launches the code that steals and exfiltrates data from web browsers, cryptocurrency wallets, and Facebook Business accounts is activated.
The updated Ducktail campaign also targets regular Facebook users, indicating that the malware authors are broadening their scope of attack. Rather than focusing solely on employees with Admin or Finance access to Facebook Business accounts, the updated campaign targets regular Facebook users.
According to the researchers, “it seems that the threat actors behind the Ducktail stealer campaign are continuously changing or improving the delivery mechanisms and approach to steal a wide variety of sensitive user and system information targeting users at large.”
Click Here to Get Legit Cash App Money Transfer
Get $500 Cashapp | Get $750 Cashapp | Get $1k Cashapp | Get $2k Cashapp | Get $5k Cashapp | Get $4k CAshapp