An Infostealer Malware Exploits Social Media Business Accounts of High-Position Individuals
DUCKTAIL, a financially motivated malware variant, specifically aims at individuals and businesses utilizing a Social Media Business/Ads platform. The malware is created by Threat Actors (TAs) originating from Vietnam. Since the second half of 2021, TAs have been actively involved in developing and distributing malware associated with the DUCKTAIL operation.
The malware is specifically designed to extract browser cookies and take advantage of social media sessions to steal sensitive information from the victim’s Social Media account. Ultimately, the malware operation aims to gain control of Social Media Business accounts with adequate access privileges. TAs then use their acquired access to conduct advertisements for their financial gain.
Cyble Research and Intelligence Labs (CRIL) recently encountered malware files specifically targeting Marketing and HR professionals.
The figure below displays the filenames employed during this campaign.
The TA’s strategy involved identifying companies using Social Media’s Business/Ads platform and specifically focusing on individuals in managerial positions within the marketing and HR departments. These individuals held significant access to the Social Media Business platform within their respective organizations, making them prime targets.
The TAs focused on themes related to digital marketing projects, job descriptions, plans for various positions, and policy and salary information associated with companies in the Clothing, Footwear, and Cosmetics industries.
TAs utilize popular file-sharing services such as Dropbox, Google Drive, and Microsoft OneDrive to host their malware. Their main approach involves employing social engineering tactics to entice victims into downloading and executing the malicious payload.
To initiate the attack, they commonly employ ZIP files to deliver the initial payload. It is important to mention that we only obtained access to the download link and, therefore, cannot confirm the exact method to deliver these links to the intended targets. Considering Ducktail’s past behavior, it is possible that the group also utilizes LinkedIn messages as a distribution method.
The provided Dropbox link leads to downloading a file named “Project Information And Salary Details At AVALON ORGANICS.zip”.
The following image illustrates the contents of a zip archive file, including PNG/JPG images of beauty products and executable files disguised with Word/PDF icons.
The two executable files, namely ‘Performance Marketing Manager Salary and Benefits.exe’ and ‘The role of Performance Marketing Manager.exe’, specifically target Marketing professionals.
These files, known as the “Ducktail” payload, are disguised with Word/PDF icons, employing a deceptive tactic to deceive victims into thinking they are genuine document files.
Technical Details: Ducktail
The DUCKTAIL operation started in late 2021. The samples associated with these operations are coded in the .NET core and compiled as a single executable file containing libraries and files, including the main assembly.
Upon execution, the malware conducts a comprehensive scan of the victim’s computer, specifically targeting popular browsers such as:
- Google Chrome
- Microsoft Edge
- Brave Browser
- Mozilla Firefox
After identifying the browsers, the malware extracts all stored cookies, including any Social Media session cookies that might be present, from each of them.
Additionally, the malware scans for registry data located in HKLM\SOFTWARE\WOW6432Node\Clients\StartMenuInternet to retrieve each installed browser’s name, path, and icon path.
Hijacking Social Media Business
The malware utilizes the victim’s Social Media session cookie and other obtained security credentials to directly communicate with other Social Media endpoints from the victim’s computer and extracts information from their Social Media account. DUCKTAIL malware also verifies if two-factor authentication (2FA) is mandatory. In such cases, it tries to acquire the recovery codes. In addition to session cookies, the malware can pilfer access tokens, user agents, and IP addresses.
Typically, Ducktail gains unauthorized access to Business accounts by utilizing Social Media accounts linked to individuals’ personal identities. By merging the TA’s email addresses with Social Media Business accounts, the malware gains control over these accounts. It gathers various details, including victims’ names, birthdays, email addresses, and user IDs.
Exfiltration via Telegram
The TAs completely rely on Telegram as their Command and Control (C&C) channel, utilizing the Telegram Bot functionality to exfiltrate the stolen data. DUCKTAIL’s malware component employs Telegram.Bot client library for this purpose.
The provided code snippet below depicts a function that facilitates the uploading of a file to a Telegram chat, utilizing the Telegram Bot functionality.
Finally, the malware also runs an infinite loop in the background, establishing a continuous exfiltration process.
Ducktail is a specifically designed information stealer that can have severe consequences, such as privacy breaches, financial losses, and identity theft. Its constant updates enable it to bypass most Social Media platforms’ security measures, specifically targeting advertising and business accounts. With the ability to hijack Social Media accounts, DUCKTAIL poses a significant threat to user privacy and the overall security of Social Media Business accounts.
CRIL will continue to monitor the latest circulating phishing or malware strains, offering timely blogs that provide actionable intelligence to help users protect themselves against these well-known attacks.
- Avoid downloading applications from unknown sources.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Update your passwords periodically.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on employees’ systems.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
Windows Management Instrumentation
Command and Scripting Interpreter
Obfuscated Files or Information
|Credential Access||T1003||OS Credential Dumping|
System Information Discovery
File and Directory Discovery
Security Software Discovery
|Collection||T1006||Data from Local System|
Indicators Of Compromise
|MD5 SHA1 SHA256||Project Information And Salary Details At AVALON ORGANICS.zip|
|MD5 SHA1 SHA256||The role of Performance Marketing Manager.exe|
|MD5 SHA1 SHA256||Performance Marketing Manager Salary and Benefits.exe|
|hxxps[:]//www[.]dropbox[.]com/s/ng04kf3c1x1nya1/Project%20Information%20And%20Salary%20Details%20At%20AVALON%20ORGANICS[.]zip?dl=1||URL||Dropbox link to download payload|