{"id":14560,"date":"2023-05-19T21:36:12","date_gmt":"2023-05-19T21:36:12","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=14560"},"modified":"2024-12-20T22:50:39","modified_gmt":"2024-12-20T22:50:39","slug":"ducktail-malware-analysis","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/ducktail-malware-analysis\/","title":{"rendered":"Ducktail Infostealer Malware Targeting Facebook Business Accounts"},"content":{"rendered":"

Researchers discovered Ducktail Malware, which targets individuals and organizations on the Facebook Business\/Ads platform. The malware steals browser cookies and uses authenticated Facebook sessions to access the victim’s account. As a result, the scammers gain access to Facebook Business through the victim’s account, which has sufficient access to do so<\/strong>. It is a particularly interesting behavior, as most stealer malware aims at cryptocurrency-related data, or even all data types at once.<\/p>\n

What is Ducktail Malware?<\/h2>\n

Ducktail is malware built on .NET Core that predominantly targets individuals and employees who may have access to a Facebook Business account. The Ducktail campaign is believed to have been active since 2018. However, the author became actively involved in developing and distributing malware related to the DUCKTAIL operation in the second half of 2021. The chain of evidence suggests that the attacker’s motives are driven by financial considerations<\/strong> and that the cybercriminal behind the campaign hails from Vietnam.<\/p>\n

As mentioned at the outset, the primary targets of this stealer were individuals who hold senior positions in clothing, footwear, and cosmetics companies, as well as employees involved in digital marketing, digital media, and human resources<\/strong>. However, the author is believed to have recently updated the malware, expanding its capabilities. The new version of Ducktail is written in PHP. Now it targets users with any level of access to Facebook Business accounts<\/strong>.<\/p>\n

How does it work?<\/h2>\n

The Ducktail malware is specifically designed to extract browser cookies and use social media sessions. In this way, the attacker obtains sensitive information from the victim’s social media accounts and over Social Media Business accounts respectively. The scammers then use the access to place advertisements for financial gain<\/strong>. We will now look at this process in more detail.<\/p>\n

\"How
Ducktail’s algorithm of actions in one picture<\/figcaption><\/figure>\n

Delivery<\/h3>\n

To infect a target device, attackers use time-tested social engineering<\/a>. I have repeatedly mentioned that the weakest link in any defense is the human factor, so this tactic will always be relevant. First, scammers place a malicious file on popular cloud storage<\/strong>. They typically use Google Drive, OneDrive, Mega, MediaFire, Discord, Trello, iCloud, and Dropbox. Next, they trick the victim into downloading and opening the malicious file. To do this, hackers contact the victim via social networks<\/a>, and send a link to the archive. To make it look more legitimate, they pick a name like “Project Information And Salary Details At AVALON ORGANICS.zip”. Consequently, no suspicion is raised by the victim.<\/p>\n

\"Archive
The same file that is not who it says it is<\/figcaption><\/figure>\n

Inside the archive, there may be some thematic images (e.g., images of cosmetics, if it is a cosmetics company) and PDF or PDF document files. In reality, however, these are executable files disguised as documents<\/a>, as can be seen by checking the file extension<\/strong>. These files are actual payloads \u2013 .NET assemblies that carry both executable sections and DLLs in it.<\/p>\n

Info Stealing<\/h3>\n

Once launched, Ducktail scans web browsers, mainly Google Chrome, Mozilla Firefox, Microsoft Edge, and Brave Browser<\/strong>. The malware extracts all stored cookies as well as access tokens. It is also interested in information such as name, user ID, email address, and date of birth from the victim’s Facebook account. The malware scans registry data in HKLM\\SOFTWARE\\WOW6432Node\\Clients\\StartMenuInternet<\/strong> to get each installed browser’s name, path, and icon path.<\/p>\n

Hacking process<\/h3>\n

Ducktail uses the victim’s social media session cookie and other security credentials obtained. This allows it to interact directly with other social media endpoints from the victim’s computer<\/strong>, extracting information from the victim’s social media account. In addition, the malware checks for two-factor authentication and, if positive, tries to obtain recovery codes<\/strong>. It can also steal access tokens, IP addresses, and user agents, data from commercial and advertising accounts connected to the victim’s personal account. This allows attackers to hijack these accounts and add their email addresses<\/a> to gain admin and financial editor access.<\/p>\n

While the former is self-explanatory, administrator rights give complete control over the Facebook Business account. Financial editor rights allow the change of credit card information and financial details of the business<\/strong>, such as transactions, bills, account charges, and payment methods. Because Ducktail accesses this information by sending requests from the victim’s computer, he impersonates a legitimate user and his session. This is achieved by masking its activity behind the victim’s IP address<\/a>, cookie values, and system configuration. In addition to the data obtained, the malware attempts to get data from the Facebook Business page the following information:<\/p>\n