Home Security Ducktail Malware Operation Evolves with New Malicious Capabilities

Ducktail Malware Operation Evolves with New Malicious Capabilities

by crpt os


The operators of the Ducktail information stealer have demonstrated a “relentless willingness to persist” and continued to update their malware as part of an ongoing financially driven campaign.

“The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim’s Facebook account,” WithSecure researcher Mohammad Kazem Hassan Nejad said in a new analysis.

“The operation ultimately hijacks Facebook Business accounts to which the victim has sufficient access. The threat actor uses their gained access to run ads for monetary gain.”

Attributed to a Vietnamese threat actor, the Ducktail campaign is designed to target businesses in the digital marketing and advertising sectors which are active on the Facebook Ads and Business platform.

Also targeted are individuals within prospective companies that are likely to have high-level access to Facebook Business accounts. This includes marketing, media, and human resources personnel.

The malicious activity was first documented by the Finnish cybersecurity company in July 2022. The operation is believed to be underway since the second half of 2021, although evidence points to the threat actor being active as far back as late 2018.

Ducktail malware

A subsequent analysis by Zscaler ThreatLabz last month uncovered a PHP version of the malware distributed as installers for cracked software. WithSecure, however, said the activity has no connection whatsoever to the campaign it tracks under the Ducktail moniker.

The latest iteration of the malware, which resurfaced on September 6, 2022, after the threat actor was forced to halt its operations on August 12 in response to public disclosure, comes with a host of improvements incorporated to circumvent detection.

Infection chains now commence with the delivery of archive files containing spreadsheet documents hosted on Apple iCloud and Discord through platforms like LinkedIn and WhatsApp, indicating diversification of the threat actor’s spear-phishing tactics.

The Facebook Business account information collected by the malware, which is signed using digital certificates obtained under the guise of seven different non-existent businesses, is exfiltrated using Telegram.

“An interesting shift that was observed with the latest campaign is that [the Telegram command-and-control] channels now include multiple administrator accounts, indicating that the adversary may be running an affiliate program,” Nejad explained.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex