The Ducktail information stealer has been updated with new capabilities and the threat actors that use it have been expanding their operation, according to WithSecure, formerly known as F-Secure Business.
Initially detailed earlier this year, Ducktail is a piece of malware specifically targeting Facebook business users and is likely operated by Vietnamese-speaking individuals. Ducktail’s operators have been active since at least 2018, while the malware has been in use since the second half of 2021.
Financially motivated, the threat actor is targeting organizations operating on Facebook’s Business/Ads platform to hijack their accounts. Earlier this year, the Ducktail infostealer was being delivered via LinkedIn, but the operators have changed techniques, to evade detection.
Following public disclosure, the digital certificate used in the campaign was revoked, which resulted in the attackers attempting to use invalid certificates. After discovering that the efforts were not paying off, the attackers stopped the malware distribution in August, WithSecure says.
In September, however, the attackers resumed their activity, using a new malware variant compiled using the .NET 7 NativeAOT feature but based on the same code base as before. The malware would fetch email addresses from its command-and-control (C&C) server and was seen encrypting the data exfiltrated to the C&C.
In October, the attackers switched back to self-contained .NET Core 3 Windows binaries that featured anti-analysis code copied from GitHub. The malware was seen launching a dummy file to hide its malicious intent, such as a document (.docx), spreadsheet (.xlsx), or video (.mp4).
WithSecure also identified several multi-stage variants of Ducktail that would deliver the main information stealer as a final payload. These include an Excel add-in file (.xll) and a .NET downloader.
To evade detection, the threat actor has been signing the malware with EV (extended validation) certificates, and has been observed changing these certificates after revocation, mid-campaign.
While Telegram continues to be used for C&C purposes, the threat actor has associated multiple administrator accounts to Telegram channels, which suggests that they might be running an affiliate program as part of their expansion efforts, WithSecure says.
Code signing certificates have been acquired via businesses registered in Vietnam, with seven such firms identified to date. The first of these was registered in 2017, but it made the first certificate purchase only in 2021.
While investigating Ducktail incidents, WithSecure discovered that some victims were targeted with archive files via WhatsApp. When the victim lacked sufficient permissions to add the attackers’ email address to the intended Facebook business account, the adversary gathered enough information to impersonate the victim and achieve their objective via hands-on activity.
“One of these hands-on incidents involved a victim operating entirely within the Apple ecosystem that had not logged on to their Facebook account from any Windows machine. The initial vector for this incident has been left undetermined due to insufficient evidence. The investigation found no sign of malware usage or host compromise across user devices,” WithSecure says.
The cybersecurity firm estimates that the financial losses caused by Ducktail range between $100,000 and $600,000, depending on the victim.