Rewterz Threat Alert – An Emerging Ducktail Infostealer – Active IOCs

Severity

High

Analysis Summary

Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a spear-phishing email that contains a malicious attachment or a link to a malicious website. Once the malware infects a system, it establishes a persistent presence and begins to gather information about the system and the network it is connected to.

This info-stealer is being disseminated through Facebook URLs, employing a technique that redirects users to suspicious websites or pages. Once redirected, users are prompted to manually click on a download button, which initiates the download of malicious files onto their devices. This method of distribution capitalizes on user interaction and engagement to deceive them into downloading the malware. The malicious files obtained through this process pose a significant threat to the security and privacy of the affected users, potentially leading to various harmful consequences such as unauthorized access to sensitive information, system compromise, or further malware infections.

The research team has been analyzing a series of info-stealing malware, and they have recently come across an interesting campaign involving the PHP version of Ducktail Infostealer. This malware is being actively distributed by disguising itself as a free or cracked application installer for popular software, including games, Microsoft Office applications, and Telegram. Ducktail Infostealer, attributed to a Vietnamese threat group, has been active since 2021 and has primarily targeted Facebook Business accounts with the objective of manipulating pages and gaining access to financial information.

The Ducktail Infostealer instances were first identified in late 2021. In July 2022, researchers observed that the threat actors were specifically targeting higher-level employees with access to Facebook Business accounts to steal data and take control of the accounts. The earlier versions of Ducktail were based on a binary written in .NET Core and utilized Telegram as its command and control (C2) channel for exfiltrating data. However, in August 2022, a new campaign was observed involving a PHP version of Ducktail Infostealer with new tactics, techniques, and procedures (TTPs).

According to an analysis, the threat actors have shifted their focus from targeting specific employees with administrative or financial access to Facebook Business accounts to a broader audience. The malicious executable files are typically in .ZIP format and are hosted on file sharing platforms, posing as cracked or free versions of popular applications like Office, games, subtitles, and explicit content files. Compared to previous campaigns, changes have been made in the execution of the malicious code. The threat actors now employ a scripting version where the main stealer code is a PHP script instead of a .NET binary.

The execution flow begins with a fake installer that generates a temporary file, which then re-initiates the installer with a “/Silent” parameter. Another temporary file is created, which drops all the supporting files and malicious files at a specific location on the victim’s machine. To achieve persistence, a series of events take place, scheduling tasks to execute the malicious payload, named “libbridged.exe,” on a daily basis and at regular intervals.

The stealing of data and its exfiltration are achieved by decrypting the stealer code at runtime in memory. The PHP script performs various actions, such as fetching browser information, extracting stored browser cookies, targeting Facebook Business accounts, searching for cryptocurrency account information in the wallet.dat file, and sending the collected data to the command and control (C&C) server.

The PHP script creates PHP associative arrays to prepare for data transmission to the C&C server. The CURL command is used for sending and receiving files over HTTP, and specific switches are employed during communication.

The script also collects information about installed browsers, retrieves data from the local state file in the Chrome user data directory, decodes sensitive data protected by Chrome’s local data encryption, encodes stolen information to base64, and saves it to log files. It specifically targets Facebook pages, including Facebook API graph, Facebook Ads Manager, and Facebook Business accounts, to gather account details, payment cycles, account statuses, funding sources, and other relevant information.

After completing the data stealing activities, the PHP script connects to the C&C server to obtain a list of targeted folders and URLs stored in JSON format, which are then used to gather further information. The stolen data is sent to the C&C server in JSON format.

To conclude, the threat actors behind the Ducktail Infostealer campaign are continuously evolving their delivery mechanisms and tactics to steal a wide range of sensitive user and system information, particularly targeting Facebook Business accounts.

Impact

• Sensitive Information Theft
• Credential Theft

Indicators of Compromise

MD5

• 4ec912c636655b383b93115dbc24d3cb
• fb3d0b2118f59bc6f1b2a646c9d507cb
• 34876f3059c0f092661ce66d9a2595fb

SHA-256

• 708657dd662640be3aa5fc96e9dfd40b15dce572e012871568ab250a4f5e3a34
• 76be32e07fc3dbc3a11aa0e1eaf071f7d16c7d1677718e9ec585d66806c70fa4
• 3b91dc27e38f2784594e33af996f823613715729ce81f6a5c80a8c49872ffdc6

SHA-1

• a0d12a59aa7237c3ad35fedb73a0731bf5cbc27d
• 976dac9ab16c6fc648400bf6aac056d97d599570
• f45674586d97f19507550f934bd5232eecc82c27

Remediation

• Block all threat indicators at your respective controls. Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Make sure all of your software, including your operating system and applications, are up-to-date with the latest security patches. This can help prevent vulnerabilities that could be exploited by info-stealers and other types of malware.
• Promptly apply security patches and updates for operating systems, software applications, and browsers. This helps to address vulnerabilities that threat actors may exploit to deliver malware.
• Utilize web filtering solutions and URL reputation services to block access to known malicious websites and prevent users from visiting potentially dangerous links, such as those used in Ducktail infostealer campaigns.
• Implement network segmentation to restrict access and isolate critical systems, such as those hosting sensitive financial information or Facebook Business accounts. This prevents lateral movement of malware and limits the impact of a potential compromise.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to quickly respond to and mitigate any potential breaches.
• Maintain regular backups of critical data, including Facebook Business account information, and ensure they are stored securely offline. This enables quick recovery in case of a successful attack or data loss.