Ducktail’s latest campaign focuses on targeting marketing professionals within the fashion industry, in which the attackers distribute archives that contain several images of real products from known brands, but it comes alongside a malicious executable disguised as a PDF file.
When the malware is executed, it opens a genuine embedded PDF that has details on job information, specially crafted to appeal to the marketing professionals who are actively searching for new jobs. The malware’s goal is to install a browser extension that is capable of stealing Facebook business and ad accounts, and later sell the stolen credentials to third parties.
After the victim opens the malicious file, it downloads a PowerShell script (param.ps1) and a fake PDF file into the compromised device’s public directory. The script is triggered by the default PDF viewer to open the fake PDF which then shuts down the Chrome browser.
At the same time, a couple of malicious browser extension files are installed on a Google Chrome directory and pretend to be a Google Docs Offline extension. The main hidden script continuously sends details of which tabs are open on the browser to a C2 server.
When any Facebook-related URLs are detected, the extension tries to extract cookies and account details to steal business and ad accounts. The extension is also capable of bypassing the two-factor authentication (2FA) by using Facebook API requests and a service from Vietnam called 2fa[.]live. All stolen credentials are transferred to a C2 server based in Vietnam.
“An important feature that sets it apart is that, unlike previous campaigns, which relied on .NET applications, this one used Delphi as the programming language”, according to the researchers.
The campaign’s use of the Delphi programming language makes it difficult to detect by cybersecurity teams since the language’s uncommon signature-based antivirus protections might not be able to see it.
Ducktail has shown to be a persistent threat and has been active since at least May 2021. It has affected users with Facebook business accounts in the United States and many other countries. The operators of Ducktail have constantly shown how adaptable their attack strategies can be.
In addition to using LinkedIn for spear-phishing targets, the malware group has also started utilizing WhatsApp. Cybersecurity analysts have discovered a connection between the recently-rising DarkGate remote access trojan (RAT) and Ducktail due to the similarity in their methods.
To improve their monitoring, organizations are recommended to employ more behavior-based analytics in order to identify anomalies that indicate malicious activity. Marketing teams in particular should be offered training for noticing social engineering, as these attacks are mainly targeting them.
- Sensitive Information Theft
- Credential Theft
Indicators of Compromise
- Block all threat indicators at your respective controls. Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
- Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
- Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
- Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
- Make sure all of your software, including your operating system and applications, are up-to-date with the latest security patches. This can help prevent vulnerabilities that could be exploited by info-stealers and other types of malware.
- Promptly apply security patches and updates for operating systems, software applications, and browsers. This helps to address vulnerabilities that threat actors may exploit to deliver malware.
- Utilize web filtering solutions and URL reputation services to block access to known malicious websites and prevent users from visiting potentially dangerous links, such as those used in Ducktail infostealer campaigns.
- Implement network segmentation to restrict access and isolate critical systems, such as those hosting sensitive financial information or Social media accounts. This prevents lateral movement of malware and limits the impact of a potential compromise.
- Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to quickly respond to and mitigate any potential breaches.
- Maintain regular backups of critical data, including social media accounts like Whatsapp, Facebook Business account information, and ensure they are stored securely offline. This enables quick recovery in case of a successful attack or data loss.