Ducktail Malware Operation Evolves with New Malicious Capabilities
The operators of the Ducktail information stealer have demonstrated a “relentless willingness to persist” and continued to update their malware as part of an ongoing financially driven campaign.
“The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim’s Facebook account,” WithSecure researcher Mohammad Kazem Hassan Nejad said in a new analysis.
“The operation ultimately hijacks Facebook Business accounts to which the victim has sufficient access. The threat actor uses their gained access to run ads for monetary gain.”
Attributed to a Vietnamese threat actor, the Ducktail campaign is designed to target businesses in the digital marketing and advertising sectors which are active on the Facebook Ads and Business platform.
Also targeted are individuals within prospective companies that are likely to have high-level access to Facebook Business accounts. This includes marketing, media, and human resources personnel.
The malicious activity was first documented by the Finnish cybersecurity company in July 2022. The operation is believed to be underway since the second half of 2021, although evidence points to the threat actor being active as far back as late 2018.
A subsequent analysis by Zscaler ThreatLabz last month uncovered a PHP version of the malware distributed as installers for cracked software. WithSecure, however, said the activity has no connection whatsoever to the campaign it tracks under the Ducktail moniker.
The latest iteration of the malware, which resurfaced on September 6, 2022, after the threat actor was forced to halt its operations on August 12 in response to public disclosure, comes with a host of improvements incorporated to circumvent detection.
Infection chains now commence with the delivery of archive files containing spreadsheet documents hosted on Apple iCloud and Discord through platforms like LinkedIn and WhatsApp, indicating diversification of the threat actor’s spear-phishing tactics.
The Facebook Business account information collected by the malware, which is signed using digital certificates obtained under the guise of seven different non-existent businesses, is exfiltrated using Telegram.
“An interesting shift that was observed with the latest campaign is that [the Telegram command-and-control] channels now include multiple administrator accounts, indicating that the adversary may be running an affiliate program,” Nejad explained.