Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Vietnam-Based Ducktail Cybercrime Operation Evolving, Expanding

The Ducktail information stealer has been updated with new capabilities and the threat actors that use it have been expanding their operation, according to WithSecure, formerly known as F-Secure Business.

The Ducktail information stealer has been updated with new capabilities and the threat actors that use it have been expanding their operation, according to WithSecure, formerly known as F-Secure Business.

Initially detailed earlier this year, Ducktail is a piece of malware specifically targeting Facebook business users and is likely operated by Vietnamese-speaking individuals. Ducktail’s operators have been active since at least 2018, while the malware has been in use since the second half of 2021.

Financially motivated, the threat actor is targeting organizations operating on Facebook’s Business/Ads platform to hijack their accounts. Earlier this year, the Ducktail infostealer was being delivered via LinkedIn, but the operators have changed techniques, to evade detection.

Following public disclosure, the digital certificate used in the campaign was revoked, which resulted in the attackers attempting to use invalid certificates. After discovering that the efforts were not paying off, the attackers stopped the malware distribution in August, WithSecure says.

In September, however, the attackers resumed their activity, using a new malware variant compiled using the .NET 7 NativeAOT feature but based on the same code base as before. The malware would fetch email addresses from its command-and-control (C&C) server and was seen encrypting the data exfiltrated to the C&C.

In October, the attackers switched back to self-contained .NET Core 3 Windows binaries that featured anti-analysis code copied from GitHub. The malware was seen launching a dummy file to hide its malicious intent, such as a document (.docx), spreadsheet (.xlsx), or video (.mp4).

WithSecure also identified several multi-stage variants of Ducktail that would deliver the main information stealer as a final payload. These include an Excel add-in file (.xll) and a .NET downloader.

To evade detection, the threat actor has been signing the malware with EV (extended validation) certificates, and has been observed changing these certificates after revocation, mid-campaign.

Advertisement. Scroll to continue reading.

While Telegram continues to be used for C&C purposes, the threat actor has associated multiple administrator accounts to Telegram channels, which suggests that they might be running an affiliate program as part of their expansion efforts, WithSecure says.

Code signing certificates have been acquired via businesses registered in Vietnam, with seven such firms identified to date. The first of these was registered in 2017, but it made the first certificate purchase only in 2021.

While investigating Ducktail incidents, WithSecure discovered that some victims were targeted with archive files via WhatsApp. When the victim lacked sufficient permissions to add the attackers’ email address to the intended Facebook business account, the adversary gathered enough information to impersonate the victim and achieve their objective via hands-on activity.

“One of these hands-on incidents involved a victim operating entirely within the Apple ecosystem that had not logged on to their Facebook account from any Windows machine. The initial vector for this incident has been left undetermined due to insufficient evidence. The investigation found no sign of malware usage or host compromise across user devices,” WithSecure says.

The cybersecurity firm estimates that the financial losses caused by Ducktail range between $100,000 and $600,000, depending on the victim.

Related: New Ducktail Infostealer Targets Facebook Business Accounts via LinkedIn

Related: New Infostealer Malware ‘Erbium’ Offered as MaaS for Thousands of Dollars

Related: New Vidar Infostealer Campaign Hidden in Help File

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.