The operators of the Ducktail info stealer have demonstrated a “relentless willingness to persist” and continued to replace their malware as a part of an ongoing financially pushed marketing campaign.
“The malware is designed to steal browser cookies and make the most of authenticated Fb classes to steal info from the sufferer’s Fb account,” WithSecure researcher Mohammad Kazem Hassan Nejad stated in a brand new evaluation.
“The operation finally hijacks Fb Enterprise accounts to which the sufferer has ample entry. The menace actor makes use of their gained entry to run advertisements for financial achieve.”
Attributed to a Vietnamese menace actor, the Ducktail marketing campaign is designed to focus on companies within the digital advertising and promoting sectors that are energetic on the Fb Adverts and Enterprise platform.
Additionally focused are people inside potential firms which can be more likely to have high-level entry to Fb Enterprise accounts. This contains advertising, media, and human assets personnel.
The malicious exercise was first documented by the Finnish cybersecurity firm in July 2022. The operation is believed to be underway because the second half of 2021, though proof factors to the menace actor being energetic way back to late 2018.
A subsequent evaluation by Zscaler ThreatLabz final month uncovered a PHP model of the malware distributed as installers for cracked software program. WithSecure, nonetheless, stated the exercise has no connection in any respect to the marketing campaign it tracks beneath the Ducktail moniker.
The most recent iteration of the malware, which resurfaced on September 6, 2022, after the menace actor was compelled to halt its operations on August 12 in response to public disclosure, comes with a bunch of enhancements integrated to avoid detection.
An infection chains now begin with the supply of archive information containing spreadsheet paperwork hosted on Apple iCloud and Discord by platforms like LinkedIn and WhatsApp, indicating diversification of the menace actor’s spear-phishing techniques.
The Fb Enterprise account info collected by the malware, which is signed utilizing digital certificates obtained beneath the guise of seven completely different non-existent companies, is exfiltrated utilizing Telegram.
“An attention-grabbing shift that was noticed with the newest marketing campaign is that [the Telegram command-and-control] channels now embrace a number of administrator accounts, indicating that the adversary could also be operating an associates program,” Nejad defined.
