Connect with us

Hi, what are you looking for?



New Ducktail Infostealer Targets Facebook Business Accounts via LinkedIn

An ongoing spear phishing campaign has been targeting Facebook business accounts since the second half of 2021. The campaign uses an infostealer specifically designed to steal browser cookies for authenticated Facebook sessions to steal information from the account and ultimately hijack any business account that the victim can access.

An ongoing spear phishing campaign has been targeting Facebook business accounts since the second half of 2021. The campaign uses an infostealer specifically designed to steal browser cookies for authenticated Facebook sessions to steal information from the account and ultimately hijack any business account that the victim can access.

WithSecure –- formerly F-Secure – first detected the infostealer as an unknown malware earlier this year. It has named the operation and malware Ducktail and has been tracking it since discovery. It is WithSecure’s first known malware specifically focusing on Facebook business accounts.

The researchers are confident that the malware is Vietnamese in origin, has no specific geographic nor vertical sector target, has been in continuous update and modification since H2 2021, and that the actor has been active since late 2018. The motivation for the Ducktail campaign is financial gain, and has been likened by WithSecure to the SilentFade malware identified by Facebook at the end of 2018.

Target organizations are found by locating companies operating on Facebook’s Business/Ads platform. Individuals within those targets – people with managerial, digital marketing, digital media, and human resources roles – have been located, possibly through LinkedIn, and the malware has been delivered via LinkedIn. 

“Many spear phishing campaigns target users on LinkedIn,” comments the WithSecure report (PDF) author, Mohammad Kazem Hassan Nejad. “If you are in a role that has admin access to corporate social media accounts, it is important to exercise caution when interacting with others on social media platforms, especially when dealing with attachments or links sent from individuals you are unfamiliar with.”

Samples of the malware have been found hosted on cloud services such as Dropbox, iCloud and MediaFire. The process is to deliver the malware to the selected individuals via LinkedIn since the same people would likely have access to the Facebook business accounts. “The malware was often delivered as an archive file which contained the malware executable alongside related images, documents, and video files,” reports WithSecure.

Uncommonly, since late 2021, Ducktail has been written in .NET Core and compiled as a single file. This means the binary can run regardless of .NET runtime on the victim computer, while Telegram can be used for C&C by embedding the Telegram.Bot client as well as any other external dependencies into a single executable.

Advertisement. Scroll to continue reading.

The malware ensures that only a single instance is running at any time, scans for installed browsers to identify cookie paths, conducts general information gathering, and steals Facebook related information. Stolen data is exfiltrated to Telegram when the Facebook stealing and hijacking is complete, when the process exits or crashes, or when a code loop completes.

The newer versions of the malware run an infinite loop in background which allows continuous exfiltration of new cookies and any update to the victim’s Facebook account. The purpose is to interact with the victim’s account, and ultimately create an email account controlled by the threat actor with the highest privilege role; that is, admin access and finance editor roles.

If successful, the admin access provides full control over the business account, while the finance editor role allows the attacker to (according to Facebook documentation), “edit business credit card information and financial details like transactions, invoices, account spend and payment methods. Finance editors can add businesses to your credit cards and monthly invoices. These businesses can use your payment methods to run ads.”

Apart from employing EDR for defense, the official Facebook Business administrator should regularly review account users, and look for and revoke access for any unknown users – especially if they have admin access with a finance editor role.

Related: ‘Cookiethief’ Android Malware Hijacks Facebook Accounts

Related: New Vidar Infostealer Campaign Hidden in Help File

Related: Facebook Disrupts Chinese Spies Using iPhone, Android Malware

Related: Meet Phoenix Keylogger, a New Malware-as-a-Service Product Gaining Traction

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...