DuckTail: An Infostealer Malware Targeting Facebook Business Accounts

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
FYmGpi0XoAAcbvt

WithSecure™ has discovered an ongoing operation (dubbed "DUCKTAIL") that targets individuals and organizations that operate on Facebook’s Business and Ads platform.
Our investigation reveals that the threat actor has been actively developing and distributing malware linked to the DUCKTAIL operation since the latter half of 2021. Evidence suggests that the threat actor may have been active in the cybercriminal space as early as late 2018. The investigation conducted by WithSecure Intelligence and findings of this report primarily focus on the malware component of the operation.

WithSecure cannot determine the success, or lack thereof, that the threat actor has had in circumventing Facebook's existing security features and hijacking businesses. However, the threat actor has continued to update and push out the malware in an attempt to improve its ability to bypass existing/new Facebook security features alongside other implemented features. The chain of evidence suggests that the threat actor’s motives are financially driven, similar to the SilentFade campaign that was discovered by Meta.
Based on telemetry and investigation conducted by WithSecure, one approach employed by the threat actor is to scout for companies that operate on Facebook’s Business/Ads platform and directly target individuals within the company/business that might have high-level access to the Facebook Business. We have observed individuals with managerial, digital marketing, digital media, and human resources roles in companies to have been targeted. WithSecure Countercept Detection and Response team has identified instances where the malware was delivered to victims through LinkedIn.

These tactics would increase the adversary’s chances of compromising the respective FacebookBusiness all the while flying under the radar. Some of the observed samples have been hosted on file or cloud hosting services, such as Dropbox, iCloud, and MediaFire. The malware was often delivered as an archive file which contained the malware executable alongside related images, documents, and video files. The content and file names (listed in the appendices section) revealed how the threat actor intended to lure victims into launching their malware. The file names generally utilized keywords related to brands, products, and project planning. Some examples include: “project development plan, project information, products.pdf.exe” and “new project l'oréal budget business plan.exe”. Moreover, some of the observed samples had country names appended to the file name which indicates that the threat actor tailors the file name based on the target’s locality. This indicates that the threat actor was aware of the victim’s locations ahead of time. WithSecure’s telemetry suggests that the threat actor does not target a specific region or country.
Since late 2021, samples associated with the DUCKTAIL operation were exclusively written in .NET Core and were compiled using its single file feature. This feature bundles all dependent libraries and files into a single executable, including the main assembly2 . The usage of .NET Core and its single-file feature is not commonly seen in malware. Prior to this, the threat actor used the traditional .NET Framework. Based on our analysis, this transition alongside the utilization of single file feature was done for the following reasons:

• To create a self-contained binary that runs on all machines without the need for .NET runtime to be installed on the victim’s machine. Older malware samples associated with the threat actor were bundled with offline.NET framework installers. Note that single file deployment isn't compatible with Windows 7.
• To allow for the usage of Telegram as a Command and Control (C&C) channel by embedding the Telegram.Bot client as well as any other external dependencies into a single executable.
• To attempt to bypass detection signatures, as previous samples that were developed in .NET have had higher detection rates compared to the latest samples.
Full source:
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top