Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a spear-phishing email that contains a malicious attachment or a link to a malicious website. Once the malware infects a system, it establishes a persistent presence and begins to gather information about the system and the network it is connected to.
This info-stealer is being disseminated through Facebook URLs, employing a technique that redirects users to suspicious websites or pages. Once redirected, users are prompted to manually click on a download button, which initiates the download of malicious files onto their devices. This method of distribution capitalizes on user interaction and engagement to deceive them into downloading the malware. The malicious files obtained through this process pose a significant threat to the security and privacy of the affected users, potentially leading to various harmful consequences such as unauthorized access to sensitive information, system compromise, or further malware infections.
The research team has been analyzing a series of info-stealing malware, and they have recently come across an interesting campaign involving the PHP version of Ducktail Infostealer. This malware is being actively distributed by disguising itself as a free or cracked application installer for popular software, including games, Microsoft Office applications, and Telegram. Ducktail Infostealer, attributed to a Vietnamese threat group, has been active since 2021 and has primarily targeted Facebook Business accounts with the objective of manipulating pages and gaining access to financial information.
The Ducktail Infostealer instances were first identified in late 2021. In July 2022, researchers observed that the threat actors were specifically targeting higher-level employees with access to Facebook Business accounts to steal data and take control of the accounts. The earlier versions of Ducktail were based on a binary written in .NET Core and utilized Telegram as its command and control (C2) channel for exfiltrating data. However, in August 2022, a new campaign was observed involving a PHP version of Ducktail Infostealer with new tactics, techniques, and procedures (TTPs).
According to an analysis, the threat actors have shifted their focus from targeting specific employees with administrative or financial access to Facebook Business accounts to a broader audience. The malicious executable files are typically in .ZIP format and are hosted on file sharing platforms, posing as cracked or free versions of popular applications like Office, games, subtitles, and explicit content files. Compared to previous campaigns, changes have been made in the execution of the malicious code. The threat actors now employ a scripting version where the main stealer code is a PHP script instead of a .NET binary.
The execution flow begins with a fake installer that generates a temporary file, which then re-initiates the installer with a “/Silent” parameter. Another temporary file is created, which drops all the supporting files and malicious files at a specific location on the victim’s machine. To achieve persistence, a series of events take place, scheduling tasks to execute the malicious payload, named “libbridged.exe,” on a daily basis and at regular intervals.
The stealing of data and its exfiltration are achieved by decrypting the stealer code at runtime in memory. The PHP script performs various actions, such as fetching browser information, extracting stored browser cookies, targeting Facebook Business accounts, searching for cryptocurrency account information in the wallet.dat file, and sending the collected data to the command and control (C&C) server.
The PHP script creates PHP associative arrays to prepare for data transmission to the C&C server. The CURL command is used for sending and receiving files over HTTP, and specific switches are employed during communication.
The script also collects information about installed browsers, retrieves data from the local state file in the Chrome user data directory, decodes sensitive data protected by Chrome’s local data encryption, encodes stolen information to base64, and saves it to log files. It specifically targets Facebook pages, including Facebook API graph, Facebook Ads Manager, and Facebook Business accounts, to gather account details, payment cycles, account statuses, funding sources, and other relevant information.
After completing the data stealing activities, the PHP script connects to the C&C server to obtain a list of targeted folders and URLs stored in JSON format, which are then used to gather further information. The stolen data is sent to the C&C server in JSON format.
Ducktail infostealer has been observed actively targeting victims. During a recent campaign of ducktail infostealer, it was observed that a file was downloaded while the user was using Facebook. The user followed a URL which after going through multiple redirections ended up on the malicious url or page. On those pages, the user manually clicked on a download button to initiate the download of a ZIP file named Album_My_Lovely_Girlfriend.zip and Album_Lonely_Girl_In_Hotels.zip. These campaigns have primarily focused on the takeover of Facebook accounts, with the intention of manipulating pages and gaining access to sensitive financial information.
To conclude, the threat actors behind the Ducktail Infostealer campaign are continuously evolving their delivery mechanisms and tactics to steal a wide range of sensitive user and system information, particularly targeting Facebook Business accounts.