Newly discovered malware linked to Vietnamese threat players targets users through a LinkedIn phishing campaign to steal data & admin privileges for financial gain.
The new malware is hijacking high-profile Meta Facebook Business & advertising platform accounts through a phishing campaign that targets LinkedIn accounts.
The malware, dubbed Ducktail, uses browser cookies from authenticated user sessions to take over accounts & steal data, researchers commented.
Researchers from WithSecure, ex F-Secure, discovered the ongoing campaign, which appears to be the work of financially driven Vietnamese threat players, they wrote in a report published Tues.
The campaign itself appears to have been active since at least the 2nd half of 2021, while the threat players behind it may have been on the cyber-criminal scene since 2018, researchers stated.
“The malware is designed to steal browser cookies & take advantage of authenticated Facebook sessions to steal information from the victim’s Facebook account & ultimately hijack any Facebook Business account that the victim has sufficient access to,” researchers wrote in a blog post accompanying the report.
Ducktail actors have very specific targets — individuals within companies operating on Facebook’s Business & advertising platform that have high-level access to the account. These include people with managerial, digital marketing, digital media, & human resources roles in targeted companies, researchers outlined.
Under the Radar
“These tactics would increase the adversary’s chances of compromising the respective Facebook Business all the while flying under the radar,” researchers wrote.
To infiltrate accounts, players are targeting LinkedIn users with a phishing campaign that lures victims using keywords related to brands, products and project planning into downloading an archive file containing the malware executable alongside related images, documents & video files, researchers reported.
Researchers took a deep look into the new malware, which in its latest samples is written exclusively in .NET Core & compiled via its single-file feature, something “not commonly seen in malware,” they noted.
Ducktail operates using 6 key components when it infects a system. It 1st does Mutex creation & check to ensure that only 1 instance of the malware is running at any time, researchers explained.
A data storage component stores & loads stolen data in a text file in a temporary folder, while a browser-scanning feature scans installed browsers to identify cookie paths for later theft.
Ducktail also has 2 elements dedicated to stealing info from victims, one that is more generalised, stealing non-Facebook related information, & another that steals info specifically related to Facebook Business & advertising accounts as well as hijacks those accounts, researchers observed.
The 1st general information-stealing component scans an infected machine for Google Chrome, Microsoft Edge, Brave Browser or Firefox &, for each one it finds, extracts all stored cookies, including any Facebook session cookie.
The component of Ducktail dedicated to extracting data from Facebook Business/Ads accounts directly interacts with various Facebook endpoints—either direct Facebook pages or API endpoints–from the victim’s machine using a stolen Facebook session cookie, researchers explained. It also uses other security credentials obtained from the cookie to extract information from the victim’s Facebook account, they stated.
Specific info that the malware steals from Facebook includes security credentials, personal account identification info, business details & advertising account info.
Ducktail also lets threat players to take full administration control over Facebook Business accounts, which can give them access to a user’s credit card or other transactional data for financial gain, researchers suggested.
Telegram C&C & Other Evasions
A final component of Ducktail exfiltrates data to a Telegram channel used as the threat players’ Command & Control (C&C), researchers commented. This allows the r to evade detection by limiting the commands it sends from C&C to the victim’s machine, researchers outlined.
Also, the malware does not establish persistence on a machine, which also allows means it can get in & do its work without alerting the user or flagging on Facebook security, researchers explained.
However, different versions of Ducktail seen by threat players performed this lack of persistence in several ways, they observed.
“Older versions of the malware simply executed, did what they were designed to do, & then exited,” researchers wrote. “Newer versions run an infinite loop in the background that performs exfiltration activities periodically.”
Evade Meta Security
Ducktail also has inherent features in Facebook data-stealing component that is designed to evade Meta security features by making any request for data to Facebook entities appear to be coming from the victim’s primary browser.
This would make these actions appear safe to Meta security, researchers noted. Attackers also can use information such as stolen session cookies, access tokens, 2FA codes, user agents, IP address & geolocation, as well as general account information, to cloak & impersonate the victim, researchers concluded.