Ducktail malware targets users and organizations on Facebook Business and Ads platform in this financially motivated malicious new campaign.
WithSecure (previously F-Secure) researchers have revealed details of a new spear phishing campaign targeting Facebook business accounts. The campaign has been active since at least July 2021.
The attack, according to researchers, entails using an infostealer dubbed Ducktail designed for stealing browser cookies for authentic Facebook sessions and information from the Facebook account. The objective is to hijack every business account the victim can access.
Who are the Targets of Ducktail?
According to WithSecure, Ducktail malware targets those “individuals and organizations” using Facebook Ads and Business services. People involved in digital marketing, managerial jobs, human resources, and digital media are the prime targets.
The Modus Operandi of the campaign involves attackers locating targets through LinkedIn and delivering malware. WithSecure researcher Mohammad Kazem Hassan Nejad wrote the report and stated that most spear phishing campaigns target people via LinkedIn.
“If you are in a role that has admin access to corporate social media accounts, it is important to exercise caution when interacting with others on social media platforms, especially when dealing with attachments or links sent from individuals you are unfamiliar with.”Mohammad Kazem Hassan Nejad – WithSecure
Who’s the Attacker?
Researchers are confident that a Vietnam-based threat actor conducts this financially driven campaign. They detected this campaign earlier in 2022. They believe there’s no specific sector or geographic target at the moment. However, the malware has been continuously updated and modified since the second quarter of 2021. However, the threat actor has been active since 2018.
How does the Scam work?
According to WithSecure’s report , malware samples were hosted on Cloud services such as MediaFire, iCloud, and Dropbox. The malware is delivered to the targeted individuals through LinkedIn as they usually have Facebook business accounts.
Ducktail malware is written in .NET Core and compiled in a single file so its binary can run despite the .NET runtime on the victim’s computer. The attacker can use Telegram for C&C by embedding Telegram.Bot client and other external dependencies in one executable.
Ducktail ensures a single instance runs at all times and keeps scanning for installed browsers to identify cookie paths. Ducktail can collect general information and steals Facebook-related data, which is then exfiltrated to Telegram in several scenarios, such as after the hijacking, when the code loop is completed, or when the process crashes/exits.
Ducktail’s new versions run an infinite loop in the background that enables continuous exfiltration of new updates and cookies from the victim’s Facebook account to interact with it and create an email ID with admin access and finance editor roles, controlled by the attacker.
That’s how the attacker gets full control over the account and edits business credit cards or other financial details such as transactions, payment methods, etc.
Protection from Ducktail Malware
The best way to protect yourself from Ducktail malware is to be vigilant about opening emails and attachments from unknown senders and avoiding clicking on links in email messages.
Avoid clicking links or downloading attachments sent by anonymous users through the LinkedIn chat feature or Facebook Messenger. You should also always use strong passwords and two-factor authentication whenever possible.
You should also keep your device updated with the latest security patches to reduce your risk of being infected with Ducktail or any other malware.