Upgraded Ducktail malware could hijack Facebook accounts

October 20, 2022
Upgraded Ducktail Malware Hijack Account Facebook Social Media

The Ducktail information stealer malware has a new PHP version that has been spotted in the cybercriminal landscape. This new malware feature is being propagated by its authors through different forms of pirated games and cracked installers of authentic apps or software.

According to researchers, this latest version of the infostealer is like its older versions that aim to steal critical information connected to saved credentials on the targeted browsers. However, the PHP version of the malware allows it to focus on hijacking and stealing Facebook business accounts.

Ducktail introduced itself to the cybercriminal environment in the last months of last year. Researchers have attributed this information-stealing malware to an unidentified Vietnamese threat group.

The malware authors have now designed their payloads to primarily hijack the advertising and business accounts of the earlier-mentioned social media platform. Moreover, a recent study this year revealed that this Asian cybercriminal group is financially motivated and constantly looks for a target that they can have a lucrative profit.

 

The Ducktail malware can now establish a connection to another communication server.

 

The previous versions of the Ducktail malware used Telegram as its C2 infrastructure to exfiltrate information. However, the new version with the PHP variant could establish a connection to a new hosted website to keep the information in JSON format.

A recent analysis revealed that the malware was attached to a ZIP archive hosted on file-sharing services such as Mediafire. The malware impersonated a cracked version of games, software, films, and MS Office.

The PHP script that deploys the code for stealing data from web browsers, Facebook business accounts, and crypto wallets is executed after a target runs the installer on its device.

Furthermore, the malware operators show signs that they are expanding their targeted scope instead of settling on targeting admins or finance access to Facebook business accounts since they can now aim at ordinary Facebook user accounts.

As of now, the threat actors of the Ducktail infostealer campaign constantly modify their payload and apply enhancements to make their attacks more efficient. Organisations are advised to follow the initial IOCs provided by Microsoft’s research team.

About the author

Leave a Reply