The operators of the Ducktail data stealer have demonstrated a “relentless willingness to persist” and continued to replace their malware as a part of an ongoing financially pushed marketing campaign.
“The malware is designed to steal browser cookies and reap the benefits of authenticated Fb periods to steal data from the sufferer’s Fb account,” WithSecure researcher Mohammad Kazem Hassan Nejad mentioned in a brand new evaluation.
“The operation in the end hijacks Fb Enterprise accounts to which the sufferer has enough entry. The menace actor makes use of their gained entry to run adverts for financial achieve.”
Attributed to a Vietnamese menace actor, the Ducktail marketing campaign is designed to focus on companies within the digital advertising and promoting sectors that are energetic on the Fb Advertisements and Enterprise platform.
Additionally focused are people inside potential corporations which might be prone to have high-level entry to Fb Enterprise accounts. This consists of advertising, media, and human assets personnel.
The malicious exercise was first documented by the Finnish cybersecurity firm in July 2022. The operation is believed to be underway for the reason that second half of 2021, though proof factors to the menace actor being energetic way back to late 2018.
A subsequent evaluation by Zscaler ThreatLabz final month uncovered a PHP model of the malware distributed as installers for cracked software program. WithSecure, nonetheless, mentioned the exercise has no connection in any respect to the marketing campaign it tracks below the Ducktail moniker.
The newest iteration of the malware, which resurfaced on September 6, 2022, after the menace actor was pressured to halt its operations on August 12 in response to public disclosure, comes with a bunch of enhancements included to bypass detection.
An infection chains now start with the supply of archive information containing spreadsheet paperwork hosted on Apple iCloud and Discord by platforms like LinkedIn and WhatsApp, indicating diversification of the menace actor’s spear-phishing ways.
The Fb Enterprise account data collected by the malware, which is signed utilizing digital certificates obtained below the guise of seven completely different non-existent companies, is exfiltrated utilizing Telegram.
“An fascinating shift that was noticed with the most recent marketing campaign is that [the Telegram command-and-control] channels now embody a number of administrator accounts, indicating that the adversary could also be working an associates program,” Nejad defined.