An ongoing spear phishing campaign has been targeting Facebook business accounts since the second half of 2021. The campaign uses an infostealer specifically designed to steal browser cookies for authenticated Facebook sessions to steal information from the account and ultimately hijack any business account that the victim can access.
WithSecure –- formerly F-Secure – first detected the infostealer as an unknown malware earlier this year. It has named the operation and malware Ducktail and has been tracking it since discovery. It is WithSecure’s first known malware specifically focusing on Facebook business accounts.
The researchers are confident that the malware is Vietnamese in origin, has no specific geographic nor vertical sector target, has been in continuous update and modification since H2 2021, and that the actor has been active since late 2018. The motivation for the Ducktail campaign is financial gain, and has been likened by WithSecure to the SilentFade malware identified by Facebook at the end of 2018.
Target organizations are found by locating companies operating on Facebook’s Business/Ads platform. Individuals within those targets – people with managerial, digital marketing, digital media, and human resources roles – have been located, possibly through LinkedIn, and the malware has been delivered via LinkedIn.
“Many spear phishing campaigns target users on LinkedIn,” comments the WithSecure report (PDF) author, Mohammad Kazem Hassan Nejad. “If you are in a role that has admin access to corporate social media accounts, it is important to exercise caution when interacting with others on social media platforms, especially when dealing with attachments or links sent from individuals you are unfamiliar with.”
Samples of the malware have been found hosted on cloud services such as Dropbox, iCloud and MediaFire. The process is to deliver the malware to the selected individuals via LinkedIn since the same people would likely have access to the Facebook business accounts. “The malware was often delivered as an archive file which contained the malware executable alongside related images, documents, and video files,” reports WithSecure.
Uncommonly, since late 2021, Ducktail has been written in .NET Core and compiled as a single file. This means the binary can run regardless of .NET runtime on the victim computer, while Telegram can be used for C&C by embedding the Telegram.Bot client as well as any other external dependencies into a single executable.
The malware ensures that only a single instance is running at any time, scans for installed browsers to identify cookie paths, conducts general information gathering, and steals Facebook related information. Stolen data is exfiltrated to Telegram when the Facebook stealing and hijacking is complete, when the process exits or crashes, or when a code loop completes.
The newer versions of the malware run an infinite loop in background which allows continuous exfiltration of new cookies and any update to the victim’s Facebook account. The purpose is to interact with the victim’s account, and ultimately create an email account controlled by the threat actor with the highest privilege role; that is, admin access and finance editor roles.
If successful, the admin access provides full control over the business account, while the finance editor role allows the attacker to (according to Facebook documentation), “edit business credit card information and financial details like transactions, invoices, account spend and payment methods. Finance editors can add businesses to your credit cards and monthly invoices. These businesses can use your payment methods to run ads.”
Apart from employing EDR for defense, the official Facebook Business administrator should regularly review account users, and look for and revoke access for any unknown users – especially if they have admin access with a finance editor role.
Related: ‘Cookiethief’ Android Malware Hijacks Facebook Accounts
Related: New Vidar Infostealer Campaign Hidden in Help File
Related: Facebook Disrupts Chinese Spies Using iPhone, Android Malware
Related: Meet Phoenix Keylogger, a New Malware-as-a-Service Product Gaining Traction

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.
More from Kevin Townsend
- Threat Actor Abuses SuperMailer for Large-scale Phishing Campaign
- Quantum Decryption Brought Closer by Topological Qubits
- IBM Delivers Roadmap for Transition to Quantum-safe Cryptography
- CISO Conversations: HP and Dell CISOs Discuss the Role of the Multi-National Security Chief
- Court Rules in Favor of Merck in $1.4 Billion Insurance Claim Over NotPetya Cyberattack
- Open Banking: A Perfect Storm for Security and Privacy?
- Apiiro Launches Application Attack Surface Exploration Tool
- Phylum Adds Open Policy Agent to Open Source Analysis Engine
Latest News
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
