The operators of the Ducktail info stealer have demonstrated a “relentless willingness to persist” and continued to replace their malware as a part of an ongoing financially pushed marketing campaign.
“The malware is designed to steal browser cookies and reap the benefits of authenticated Fb periods to steal info from the sufferer’s Fb account,” WithSecure researcher Mohammad Kazem Hassan Nejad mentioned in a brand new evaluation.
“The operation finally hijacks Fb Enterprise accounts to which the sufferer has adequate entry. The menace actor makes use of their gained entry to run adverts for financial acquire.”
Attributed to a Vietnamese menace actor, the Ducktail marketing campaign is designed to focus on companies within the digital advertising and marketing and promoting sectors that are lively on the Fb Advertisements and Enterprise platform.
Additionally focused are people inside potential corporations which might be prone to have high-level entry to Fb Enterprise accounts. This contains advertising and marketing, media, and human assets personnel.
The malicious exercise was first documented by the Finnish cybersecurity firm in July 2022. The operation is believed to be underway because the second half of 2021, though proof factors to the menace actor being lively way back to late 2018.
A subsequent evaluation by Zscaler ThreatLabz final month uncovered a PHP model of the malware distributed as installers for cracked software program. WithSecure, nevertheless, mentioned the exercise has no connection in any way to the marketing campaign it tracks below the Ducktail moniker.
The newest iteration of the malware, which resurfaced on September 6, 2022, after the menace actor was pressured to halt its operations on August 12 in response to public disclosure, comes with a number of enhancements integrated to avoid detection.
An infection chains now begin with the supply of archive information containing spreadsheet paperwork hosted on Apple iCloud and Discord by means of platforms like LinkedIn and WhatsApp, indicating diversification of the menace actor’s spear-phishing ways.
The Fb Enterprise account info collected by the malware, which is signed utilizing digital certificates obtained below the guise of seven totally different non-existent companies, is exfiltrated utilizing Telegram.
“An fascinating shift that was noticed with the newest marketing campaign is that [the Telegram command-and-control] channels now embrace a number of administrator accounts, indicating that the adversary could also be operating an associates program,” Nejad defined.