Rewterz Threat Alert – An Emerging Ducktail Infostealer – Active IOCs

Severity

High

Analysis Summary

Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a spear-phishing email that contains a malicious attachment or a link to a malicious website. Once the malware infects a system, it establishes a persistent presence and begins to gather information about the system and the network it is connected to.

This info-stealer is being disseminated through Facebook URLs, employing a technique that redirects users to suspicious websites or pages. Once redirected, users are prompted to manually click on a download button, which initiates the download of malicious files onto their devices. This method of distribution capitalizes on user interaction and engagement to deceive them into downloading the malware. The malicious files obtained through this process pose a significant threat to the security and privacy of the affected users, potentially leading to various harmful consequences such as unauthorized access to sensitive information, system compromise, or further malware infections.

The research team has been analyzing a series of info-stealing malware, and they have recently come across an interesting campaign involving the PHP version of Ducktail Infostealer. This malware is being actively distributed by disguising itself as a free or cracked application installer for popular software, including games, Microsoft Office applications, and Telegram. Ducktail Infostealer, attributed to a Vietnamese threat group, has been active since 2021 and has primarily targeted Facebook Business accounts to manipulate pages and gain access to financial information.

The Ducktail Infostealer instances were first identified in late 2021. In July 2022, researchers observed that the threat actors were specifically targeting higher-level employees with access to Facebook Business accounts to steal data and take control of the accounts. The earlier versions of Ducktail were based on a binary written in .NET Core and utilized Telegram as its command and control (C2) channel for exfiltrating data. However, in August 2022, a new campaign was observed involving a PHP version of Ducktail Infostealer with new tactics, techniques, and procedures (TTPs).

According to an analysis, the threat actors have shifted their focus from targeting specific employees with administrative or financial access to Facebook Business accounts to a broader audience. The malicious executable files are typically in .ZIP format and are hosted on file-sharing platforms, posing as cracked or free versions of popular applications like Office, games, subtitles, and explicit content files. Compared to previous campaigns, changes have been made in the execution of the malicious code. The threat actors now employ a scripting version where the main stealer code is a PHP script instead of a .NET binary.

The execution flow begins with a fake installer that generates a temporary file, which then re-initiates the installer with a “/Silent” parameter. Another temporary file is created, which drops all the supporting files and malicious files at a specific location on the victim’s machine. To achieve persistence, a series of events take place, scheduling tasks to execute the malicious payload, named “libbridged.exe,” daily and at regular intervals.

The stealing of data and its exfiltration are achieved by decrypting the stealer code at runtime in memory. The PHP script performs various actions, such as fetching browser information, extracting stored browser cookies, targeting Facebook Business accounts, searching for cryptocurrency account information in the wallet.dat file, and sending the collected data to the command and control (C&C) server.

The PHP script creates PHP associative arrays to prepare for data transmission to the C&C server. The CURL command is used for sending and receiving files over HTTP, and specific switches are employed during communication.

The script also collects information about installed browsers, retrieves data from the local state file in the Chrome user data directory, decodes sensitive data protected by Chrome’s local data encryption, encodes stolen information to base64, and saves it to log files. It specifically targets Facebook pages, including Facebook API graph, Facebook Ads Manager, and Facebook Business accounts, to gather account details, payment cycles, account statuses, funding sources, and other relevant information.

After completing the data-stealing activities, the PHP script connects to the C&C server to obtain a list of targeted folders and URLs stored in JSON format, which are then used to gather further information. The stolen data is sent to the C&C server in JSON format.

To conclude, the threat actors behind the Ducktail Infostealer campaign are continuously evolving their delivery mechanisms and tactics to steal a wide range of sensitive user and system information, particularly targeting Facebook Business accounts.

Impact

• Sensitive Information Theft
• Credential Theft

Indicators of Compromise

MD5

• 6fa7c668dec39fcaf84338331399fdeb
• 0e0928563ab23c23f59b041409091e6a
• 5032bc8fd52c98b7b522d40ff4ca058b
• 2412e078206c85f735195d3dc2d33f2b
• 038a605aa5a729fd4209b2c573ef806c
• 39293fc59431debd0f7e174e29e5e4ae
• 9918b80ee575549cc036e80f9909aa74
• 3fa9a5cda923e30dd731780c253b4902
• f92c6da21ea396dd26830ecb5fd2941c
• cc6195169b55e6e0613031a95c3da241
• ee8344965bd773cc5d735d94a3e55070
• 40e5c84ab80c46cd5e447c1cb5f7eacf

SHA-256

• ff1c5abce22b767e38d18198858fff56406bccaca801d6eab9a22490cf121c33
• 10ece3594f39e67090d3a836e07263e44ae561aa60ab45e273d140160701c177
• 31d3a5ac427d9530344bd12d9470a1bbb98597e0327823d7eb14dcdd24120f2d
• 742c04ee12634d14652390f1a468f7277b4af84b264313ff012de7207ba5d2c2
• df567ecbedc3b42978ba0b0fe58e19e26bb6ae81edf9a1dab73762312806c66e
• f537520c5af0fec5bc39f2b361e9aeb64f92e38f507388b96990d437c3e36856
• 2e23e32ad8813802d95e0636c0964ffd3d1ea34bab953dc1106c2b48e6e1ffda
• 5f57883533c6cad101eb9d1813ebca8601ec32ec0cc33da21c2ba49887bf1ccc
• ed7beb275a3d3c22f3d3dd0ed4355950151eef6b082d5c22586bd3febe21eff1
• ff2b6be92d3694869552e2033074ae2a3c46f03d727274131a12d82a21d09a24
• eb56ce8800423315cdbac7f17d737b274f2205aff433a2b5f748f786f62011da
• 08a805f1e96076d617e21e9263e6d21e27999a6df7f063ff01b1e01a9a130c6a

SHA-1

• d708e87f6d05da1a05289664640d00d0ea6ed8c7
• 0aa41325131f54fcacb6dc88b29a89d87e6589ac
• 7af75796a5067bb2bec910790737ea14a0734896
• 569b26cc1b2bdae0aaafb5aaba04619ba744d095
• 0ca91ed29ece614fe5458f0696fbf9b28632f888
• 21adca68c9887376e2a93bf8f9585b063eed61ff
• de5aa488e3903f19f857e6b55fc59c73a4703646
• 2237fce1c416fc6aaa34f68ca4d48bdd8f4d3ffd
• 418f5f1de3ca2ed79f66e2ece2c95fd24fd7f38a
• 8657ba1904907e97c5f0dd2c9752634389a8bbca
• 8a1a40a6cc7c06cd3dbf78746392d84b5cb5940c
• 7aa49dfa9102b3e62681721f25961fae4daf1c49

Domain Name

• lamborghini-aventador.live
• teccostore.com
• fixtest123.uk

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Maintain daily backups of all computer networks and servers.