Ducktail Malware Is A Bigger Threat Than Ever
Reading Time: 2 minutes

Ducktail Malware is a bigger threat than ever, as its operators have demonstrated a “relentless willingness to persist” and continued to update the malware as part of an ongoing financially driven campaign.

According to WithSecure researcher, Mohammad Kazem Hassan Nejad, latest analysis,  “The Ducktail Malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim’s Facebook account.”

He further added, “The operation ultimately hijacks Facebook Business accounts to which the victim has sufficient access. The threat actor uses their gained access to run ads for monetary gain.”

The Ducktail Malware campaign is attributed to the Vietnamese threat actor and has been targeting businesses in the digital marketing and advertising sectors which are active on the Facebook Ads platform.

The target for this breach included high-level Facebook Business accounts. This includes marketing, media, and human resources personnel.

The sinister threat was first documented by Finnish cybersecurity company, F-Secure in July of 2022. Although the operation began in late 2021, the evidence points to this actor being active as far back as the second half of 2018.Ducktail Malware Is A Bigger Threat Than Ever_1A subsequent analysis by ThreatLabz revealed a PHP version of the malware being distributed as installers for cracked software. However, WithSecure disagreed and said there are no connections between these attacks and the ones it has been tracking under the Ducktail moniker.

The latest version of the malware is much harder to detect. It surfaced on September 6, 2022, after the threat actor was forced to halt its operations on August 12 in response to public disclosure.

Recently, infection chains are now starting with the delivery of archiving files containing spreadsheet documents hosted on Apple iCloud and Discord through platforms like LinkedIn and WhatsApp. They’re diversifying their spear-phishing tactics.

Malware on Facebook Business accounts collects information about the account, which is signed and exfiltrated using Telegram.

Recent campaigns show an interesting shift: rather than running a single account, the adversary is maintaining a number of accounts in their channels. This could signify that they’re running an affiliate program which could mean more income for them.

Related Articles:
Luna Moth Gang Targets Businesses with Callback Phishing Campaigns
Cyber Criminals Using Go-based Aurora Stealer Malware
K–12 Students Using Cyberattacks to Shut Down School