Security Experts:

Connect with us

Hi, what are you looking for?



Vietnam-Based Ducktail Cybercrime Operation Evolving, Expanding

The Ducktail information stealer has been updated with new capabilities and the threat actors that use it have been expanding their operation, according to WithSecure, formerly known as F-Secure Business.

The Ducktail information stealer has been updated with new capabilities and the threat actors that use it have been expanding their operation, according to WithSecure, formerly known as F-Secure Business.

Initially detailed earlier this year, Ducktail is a piece of malware specifically targeting Facebook business users and is likely operated by Vietnamese-speaking individuals. Ducktail’s operators have been active since at least 2018, while the malware has been in use since the second half of 2021.

Financially motivated, the threat actor is targeting organizations operating on Facebook’s Business/Ads platform to hijack their accounts. Earlier this year, the Ducktail infostealer was being delivered via LinkedIn, but the operators have changed techniques, to evade detection.

Following public disclosure, the digital certificate used in the campaign was revoked, which resulted in the attackers attempting to use invalid certificates. After discovering that the efforts were not paying off, the attackers stopped the malware distribution in August, WithSecure says.

In September, however, the attackers resumed their activity, using a new malware variant compiled using the .NET 7 NativeAOT feature but based on the same code base as before. The malware would fetch email addresses from its command-and-control (C&C) server and was seen encrypting the data exfiltrated to the C&C.

In October, the attackers switched back to self-contained .NET Core 3 Windows binaries that featured anti-analysis code copied from GitHub. The malware was seen launching a dummy file to hide its malicious intent, such as a document (.docx), spreadsheet (.xlsx), or video (.mp4).

WithSecure also identified several multi-stage variants of Ducktail that would deliver the main information stealer as a final payload. These include an Excel add-in file (.xll) and a .NET downloader.

To evade detection, the threat actor has been signing the malware with EV (extended validation) certificates, and has been observed changing these certificates after revocation, mid-campaign.

While Telegram continues to be used for C&C purposes, the threat actor has associated multiple administrator accounts to Telegram channels, which suggests that they might be running an affiliate program as part of their expansion efforts, WithSecure says.

Code signing certificates have been acquired via businesses registered in Vietnam, with seven such firms identified to date. The first of these was registered in 2017, but it made the first certificate purchase only in 2021.

While investigating Ducktail incidents, WithSecure discovered that some victims were targeted with archive files via WhatsApp. When the victim lacked sufficient permissions to add the attackers’ email address to the intended Facebook business account, the adversary gathered enough information to impersonate the victim and achieve their objective via hands-on activity.

“One of these hands-on incidents involved a victim operating entirely within the Apple ecosystem that had not logged on to their Facebook account from any Windows machine. The initial vector for this incident has been left undetermined due to insufficient evidence. The investigation found no sign of malware usage or host compromise across user devices,” WithSecure says.

The cybersecurity firm estimates that the financial losses caused by Ducktail range between $100,000 and $600,000, depending on the victim.

Related: New Ducktail Infostealer Targets Facebook Business Accounts via LinkedIn

Related: New Infostealer Malware ‘Erbium’ Offered as MaaS for Thousands of Dollars

Related: New Vidar Infostealer Campaign Hidden in Help File

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.