The operators of the Ducktail information stealer demonstrate once again a willingness to persist, as they have updated their malware to use in an ongoing financially driven campaign.
Cybersecurity researchers say that the malware is used to steal browser cookies and take advantage of Facebook sessions to steal information from victims’ accounts. Ultimately, the purpose is to hijack Facebook Business accounts to gather money through ads.
Details on Ducktail
The Ducktail campaign, attributed to a Vietnamese threat actor, is intended to target companies involved in digital marketing and advertising that are active on the Facebook Ads and Business platform.
According to TheHackerNews, people working for potential employers who are likely to have access to Facebook Business accounts are targeted. Personnel in marketing, the media, and human resources are included. It is unclear when the operation started. It is believed to have been underway since the latter half of 2021, but there is evidence that tracks the threat actor’s activity as far back as 2018.
Updated Version of the Malware
Forced to stop operating the malware on the 12th of August 2022, the threat actor reappeared on September 6th, bringing to the malware a number of modifications built in to evade detection.
Due to the threat actor’s diversification of spear-phishing techniques, infection chains now start with the delivery of archive files containing spreadsheet documents hosted on Apple iCloud and Discord through channels like LinkedIn and WhatsApp.
The information on the Facebook Business accounts collected by the malware is exfiltrated using Telegram.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.