Vietnamese cybercriminals were found circulating a new PHP variant of information-stealing malware, ‘Ducktail’. The intent is to manipulate pages and steal the banking data of attacked users. The Ducktail infostealer is sent to the targets while pretending to be an application installer for games, Microsoft Office applications, and even Telegram, among others.
Researchers at Zscaler ThreatLabs found the ongoing use of the Ducktail info-stealing malware to exfiltrate data from a user’s browser, Facebook account, and crypto-wallets, among others. The cyber-attackers use a zip file that is, on the contrary, hosted on legitimate services. This wins the trust of the targets to some extent. The fake zip file offers help with games, subtitles, adult videos, and cracked MS Office applications and runs stealthily in the background. The user is shown a fake message that reads something like “Checking Application Compatibility”, mostly in the form of a pop-up.
After the malware-laced zip file runs in the background, it is extracted to the %LocalAppData%\Packages\PXT folder. The PHP.exe local interpreter, other scripts, and tools start working to steal information. PHP is a server scripting language; in this case, it is used for persistence by creating scheduled tasks on the device daily at regular intervals. The folder also includes a TMP file that runs to steal the targeted data.
Infostealer Functions:
- The upload command uploads the victim’s sensitive information onto its server.
- The getTack command creates the pattern of stolen data sent to the hacker’s system.
- The getMac command would fetch the machine ID of the victim
- The readDirs command would steal data from various directories
- The deleteAllFolder would delete all the folders created to store stolen data.
- The parCookie command would extract browser cookies
- The parseChromium would steal data from the Chrome browser
- The parseMoz command would extract data from the Mozilla browser
- The Browser command would extract information from any browser installed in the victim’s device
- The BVZipArchive command would compress the stolen data
The cybercriminals stored the stolen data on a new hosted website in JSON format. Using the PHP version script of Ducktail stealer, the hackers re-initiate the installer with the “/Silent” parameter that helps define installation options. The malicious payload used in the attacks was called ‘libbridged.exe’. The report highlighted how the threat actors divided the execution of the process into various parts instead of making a one-go binary, which performs all tasks at once.