An ongoing spear phishing campaign has been targeting Facebook business accounts since the second half of 2021. The campaign uses an infostealer specifically designed to steal browser cookies for authenticated Facebook sessions to steal information from the account and ultimately hijack any business account that the victim can access.
WithSecure –- formerly F-Secure – first detected the infostealer as an unknown malware earlier this year. It has named the operation and malware Ducktail and has been tracking it since discovery. It is WithSecure’s first known malware specifically focusing on Facebook business accounts.
The researchers are confident that the malware is Vietnamese in origin, has no specific geographic nor vertical sector target, has been in continuous update and modification since H2 2021, and that the actor has been active since late 2018. The motivation for the Ducktail campaign is financial gain, and has been likened by WithSecure to the SilentFade malware identified by Facebook at the end of 2018.
Target organizations are found by locating companies operating on Facebook’s Business/Ads platform. Individuals within those targets – people with managerial, digital marketing, digital media, and human resources roles – have been located, possibly through LinkedIn, and the malware has been delivered via LinkedIn.
“Many spear phishing campaigns target users on LinkedIn,” comments the WithSecure report (PDF) author, Mohammad Kazem Hassan Nejad. “If you are in a role that has admin access to corporate social media accounts, it is important to exercise caution when interacting with others on social media platforms, especially when dealing with attachments or links sent from individuals you are unfamiliar with.”
Samples of the malware have been found hosted on cloud services such as Dropbox, iCloud and MediaFire. The process is to deliver the malware to the selected individuals via LinkedIn since the same people would likely have access to the Facebook business accounts. “The malware was often delivered as an archive file which contained the malware executable alongside related images, documents, and video files,” reports WithSecure.
Uncommonly, since late 2021, Ducktail has been written in .NET Core and compiled as a single file. This means the binary can run regardless of .NET runtime on the victim computer, while Telegram can be used for C&C by embedding the Telegram.Bot client as well as any other external dependencies into a single executable.
The malware ensures that only a single instance is running at any time, scans for installed browsers to identify cookie paths, conducts general information gathering, and steals Facebook related information. Stolen data is exfiltrated to Telegram when the Facebook stealing and hijacking is complete, when the process exits or crashes, or when a code loop completes.
The newer versions of the malware run an infinite loop in background which allows continuous exfiltration of new cookies and any update to the victim’s Facebook account. The purpose is to interact with the victim’s account, and ultimately create an email account controlled by the threat actor with the highest privilege role; that is, admin access and finance editor roles.
If successful, the admin access provides full control over the business account, while the finance editor role allows the attacker to (according to Facebook documentation), “edit business credit card information and financial details like transactions, invoices, account spend and payment methods. Finance editors can add businesses to your credit cards and monthly invoices. These businesses can use your payment methods to run ads.”
Apart from employing EDR for defense, the official Facebook Business administrator should regularly review account users, and look for and revoke access for any unknown users – especially if they have admin access with a finance editor role.
Related: ‘Cookiethief’ Android Malware Hijacks Facebook Accounts
Related: New Vidar Infostealer Campaign Hidden in Help File
Related: Facebook Disrupts Chinese Spies Using iPhone, Android Malware
Related: Meet Phoenix Keylogger, a New Malware-as-a-Service Product Gaining Traction