Cybercriminals are letting malware buyers know about its features through elaborate advertisements on cybercrime forums. Recently, Cyble Research and Intelligence Labs (CRIL) shared how threat actors are trying their best to sell malware with enhanced features. The cybercrime forum entry featured DuckLogs Malware-as-a-Service (MaaS) along with its cost and global victims.
As per the CRIL blog, the malware could steal information from systems, perform keylogging to copy what is typed using the keyboard, have remote access to watch the activities on the targeted system, and launch desired malicious attacks. It could also access passwords, cookies, login credentials, browser history, and crypto wallet details. Researchers also observed activities performed with the DuckLogs ‘C&C server during its monitoring sessions.
What the DuckLogs malware advertisements said?
Several benefits and advanced capabilities of the DuckLogs MaaS were highlighted in the advertisements on the cybercrime forum. The image titled, ‘Modules That Will Enhance Your Chances,’ showed logos of over 20 browsers that it could penetrate and lists of attacks it can perform mentioned under the categories including stealers, remote control, and miscellaneous. Miscellaneous noted functions such as obfuscation, telegram notifications, and clipper for BTC, ETH, LTC, XMR, XRP, XLM, DOGE, and BTC cash were also mentioned in the advert.
Costing details of the DuckLogs malware-as-a-service
DuckLogs malware-as-a-service was offered on three plans — for a month, for three months, and for a lifetime — on the cybercrime forum. The cost for a month was $19.99, for three months, it was available for $39.99, and the cost of using it for a lifetime was $69.99. The advanced features were named next to the duration of the plan.
Besides all these details on the forum, the web panel offered attackers the option to enhance further DuckLogs’ features, such as altering the malware binary and stealing and downloading target information using its web panel. The malware-as-a-service advertisement showed pictures of a dashboard with details of its global victims. It had a total of 6035 victims at the time of reporting the ad.
Technical details of the samples found on the dark forums
The 32-bit, .NET executable sample hash (SHA256) found by CRIL found was named BkfFB.exe. After executing the hash e9bec9d4e28171c1a71acad17b20c32d503afa4f0ccfe5737171854b59344396 it decoded the hardcoded base64 encoded module in the binary. It retrieved the DuckLogs.exe payload and injected it by creating a new process using the process hollowing technique. It also formed the malware payload, ‘DuckLogs.exe.’
The malware was also found using steganography which is the technique of utilizing images and text loaded with malware to launch a cyberattack. “DuckLogs is protected by Obfuscator(1.0) and it can maintain persistence, bypass windows defender along with UAC bypass among other functions,” CRIL researchers shared with the Cyber Express.