Ducktail, a known phishing campaign that hijacks Facebook accounts running advertising campaigns for businesses, is now distributing a brand new infostealer malware.
According to researchers at according to Zscaler (opens in new tab), Ducktail previously used LinkedIn to distribute a piece of malware written in .NET Core that would steal Facebook Business account data stored in a web browser and exfiltrate it into a private Telegram channel which acted as the malware’s command & control server (C2), communicating with target systems to coordinate cyberattacks.
Now, however, Ducktail has been spotted distributing a new malware variant that can not only steal Facebook-adjacent data, but also other sensitive data stored in browsers, such as data related to cryptocurrency wallets, account information, and basic system data.
Stealing browser data
The C2 has also been changed – the data no longer goes to a Telegram channel, but rather to a JSON website that also stores account tokens and other data needed for on-device fraud.
Zscaler also claimed that the malware is being shared as an archive file uploaded to a legitimate file hosting service. The attackers, they say, made sure that the malware doesn’t get flagged by antivirus software by only loading in memory.
Users can mitigate the damage caused by Ducktail and other malware by switching to an anonymous browser, or simply making sure not to save sensitive information in their browser of choice.
This is especially important because, if malware compromises an endpoint with a Facebook Business account, they may search for additional sensitive financial details such as PayPal data. This includes amounts spent on certain purchases, verification statuses, and more.
In most cases, attackers using malware try to trick people into downloading it by presenting it as movie subtitle files, adult content, or cracks for illegitimate software.
While it’s true that Ducktail’s new infostealer could be evading antivirus software, software that comes with in-built web protection could still be of help against it by blocking access to suspicious sites that may be carrying it.
Via: BleepingComputer (opens in new tab)
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba