Vietnam-based Ducktail, a malware strain that gained traction in the second half of 2021, has upgraded its technique of using malicious code, researchers found. The malware was specially designed to target Facebook business owners last year, and now it is moving into the next phase by expanding its attack vector to WhatsApp among others.
The malware is operated by Vietnamese-speaking individuals and has been active since 2018, according to researchers at WithSecure. They spotted the malware in late July 2022 and have found that the threat group was again targeting Facebook organizations and individuals who were using its services.
The group is interested only in Facebook Business accounts, especially those involved in Facebook Ads and other premium servers offered by the platform, note researchers. The group allegedly used an info stealer that collects data from browser cookies and exploited the “authenticated Facebook sessions” to steal information from the victim’s account, the report reads.
“DUCKTAIL is an operation that targets individuals and organizations operating on Facebook’s Ads and Business platform. The goal of DUCKTAIL is rather different from other information stealer malware or other common threats. It is to gain access to business accounts and use the hijacked businesses advertising credit and payment methods to run fraudulent ads,” WithSecure Intelligence researcher Mohammad Kazem Hassan Nejad told The Cyber Express.
Ducktail campaign returns
“Almost one month after DUCKTAIL’s last signs of activity, on Tuesday, September 6, 2022, we started receiving alerts from one of our DUCKTAIL hunting rules on new samples observed in-the-wild. In the following days, we observed detection hits across our customer base as our clients were targeted once more,” Mohammad Kazem Hassan Nejad highlighted in the threat assessment report.
According to the assessment, the primary goal is hacking into Facebook Business accounts and stealing information. However, the summer report by the threat intelligence company inadvertently made the threat group change its way and upgrade protection against detection. The threat group has expanded its operation and recruited more members into the organization, making it one of the most prevalent groups in the market right now.
According to the report, the losses from these attacks have surged to six hundred thousand dollars of advertising credits.
The new samples found were using the .NET 7 NativeAOT feature, allowing the “binaries to be compiled natively (ahead-of-time) from .NET code”, said the threat assessment report. The latest binaries used a slightly different format than the regular ones in .NET assemblies.
Moreover, the threat actor overcame the need to install a .NET runtime on the victim’s machine, as the upgraded malware uses “NativeAOT that provides similar benefits to .NET single-file feature that previous DUCKTAIL variants used for compilation,” said the threat assessment report.
Among the samples collected by the threat search group via the VirusTotal from Vietnam, it was found that they contained a mixture of “old and new DUCKTAIL variant code bases, compiled as self-contained .NET Core 3 Windows binaries”. This malware primarily relied on Telegram for operations and had three active Telegram bots and channels in its latest campaign.
How detrimental is Ducktail?
“While threats such as ransomware news attacks get a lot of attention because of how detrimental they could be to a business, threats such as DUCKTAIL shouldn’t be overlooked either as they can cause substantial financial and brand damage,” Mohammad added. He further shared a framework explaining how Facebook account holders can detect if DuckTail has compromised their Business account.
- Your Facebook Business administrator should review users added under Business Manager > Settings > People and revoke access for unknown users that were granted Admin access (with a finance editor role).
- You can use the list of attacker e-mail addresses found in this list https://github.com/WithSecureLabs/iocs/blob/master/DUCKTAIL/iocs.csv, noting that the list is not meant to be comprehensive.
- In case of a suspected compromise, the WithSecure Incident Response team strongly recommends capturing a local copy of business history logs (https://www.facebook.com/business/help/2512887368958412) as soon as possible and request a copy of user data for the affected accounts (https://www.facebook.com/help/212802592074644).
- To check if any workstation may be infected with the information stealer malware that can lead to hijacking, users can employ the IOCs and YARA rules found via https://github.com/WithSecureLabs/iocs/tree/master/DUCKTAIL/.