Researchers have found instances of Ducktail malware used on HR and marketing managers, specifically those in managerial positions.
Cybercriminals behind this operation have been attempting to attract employees of companies with a decoy or fraudulent document with convincing file names, researchers found.
The Ducktail malware has been developed for better evasion and attack strength ever since the second half of 2021, researchers at Cyble Research and Intelligence Labs (CRIL) found.
The Ducktail malware for HR managers and marketing executives is followed through to LinkedIn, and other social media business accounts.
Upon gaining access to the employee’s system, the Ducktail malware for HR managers and marketers steals their browser cookies to copy their social media session data. This helps the cybercriminals behind this malicious campaign gain control over their social media business media accounts.
Ducktail malware used on HR and marketing managers: The details
The Ducktail malware for HR managers and marketing heads has been found to run this campaign to gain access to their systems, and accounts so customized fraudulent advertisements are run on their accounts.
These fraudulent advertisements may reach thousands of candidates looking for jobs or marketing gigs with the company.
Threat actors can leverage this chain of connections to further their reach and steal more system data for various purposes. The rest of the data found may get sold on the dark web to other hackers looking to launch a cyberattack on one employee’s device and reach the enterprise network through it.
The financially motivated malware campaign targeting HR and marketing managers were found to be originating in Vietnam, and the cybercriminals were traced to the Asian country.
Ducktail malware used on HR and marketing managers: Spotting the code
The Cyble Research & Intelligence Labs found samples of documents that can help understand the fraudulent files used by criminals to fool HR executives. These files look legitimate however were nothing but decoys. These and similar-looking malware-infected items must not be clicked, opened, or shared with anyone.
Look for unwanted, unexpected, and unrelated emails or files sent on your device with the following names –
Related names of files sent to targeted company staff (Photo: Cyble blog)
The file names found were –
- Borgiolishoes – Digital Marketing Project Plan
- Job Description Plan of GAP 2023
- Project Information And Salary Details At AVALON ORGANICS
- Commercial Marketing Manager LACOSTE_HR
All these were zip files.
“The TAs focused on themes related to digital marketing projects, job descriptions, plans for various positions, and policy and salary information associated with companies in the Clothing, Footwear, and Cosmetics industries,” detailed the Cyble blog.
CRIL researchers pointed out that the company names mentioned in the emails and attachments within were pertaining to prominent clothing, footwear, and cosmetic brands.
Popular file-sharing services including Google Drive, Microsoft OneDrive, and Dropbox were used to host the malware. Putting to use the social engineering method, targets were deceived with communications of interest to the professionals in the name of various consumer goods brands.
CRIL researchers warned professionals about finding something suspicious with incoming communications even on LinkedIn because they did not find the exact method or channel through which initial communication was established.
Technical details about the Ducktail malware used on HR and marketing managers
Content of the malicious zip files (Photo: Cyble blog)
- The dropbox link was – hxxps[:]//www[.]dropbox[.]com/s/ng04kf3c1x1nya1/Project%20Information%20And%20Salary%20Details%20At%20AVAL
- Upon extracting the zip files, the content showed the icons and documents that seemed to be in png, jpg, word, and pdf formats. While the pdf and Word documents were in fact executable files.
- The information-stealing malware is capable of targeting Google Chrome, Microsoft Edge, Brave, and Mozilla Firefox.
- The Ducktail malware for HR and marketing managers scans for the registry located in HKLM\SOFTWARE\WOW6432Node\Clients\StartMenuInternet to find the browser name, path, and icon path.
- Ducktail also pilfers IP addresses which put the activities of the users in the purview of the hackers among other threats, access tokens, and user agents.
If two-factor authentication is active on the target account/s, the Ducktail malware for HR and marketing heads tries to gain access to recovery codes in order to retain access to the targeted device and execute the cyberattack as planned.
The Command and Control server was found on Telegram, where the Telegram bot functionality was used to bring the stolen data back to the hacker’s device.
Several contacts of HR executives and marketing executives are at risk of cyberattacks and may lose money and be scammed into fake jobs. It is important not to open or communicate with strangers who may even pose as they are from larger businesses, the report warned.
Enabling multi-factor authentication is always better than just using a password that can be guessed or stolen by scammers. Moreover, activating a good anti-virus application and keeping the device constantly updated is also essential to prevent danger, it suggested.