New PHP Version of Ducktail info-stealer hijacks Facebook Business accounts

Experts spotted a PHP version of an information-stealing malware called Ducktail spread as cracked installers for legitimate apps and games.

Zscaler researchers discovered a PHP version of an information-stealing malware tracked as Ducktail. The malicious code is distributed as free/cracked application installers for a variety of applications including games, Microsoft Office applications, Telegram, and others.

Ducktail has been active since 2021, the experts believe it was operated by a Vietnamese threat group. In July 2022, researchers from WithSecure (formerly F-Secure Business) discovered a DUCKTAIL campaign targeting individuals and organizations that operate on Facebook’s Business and Ads platform.

The threat actors target individuals and employees that may have access to a Facebook Business account, they use an information-stealer malware that steals browser cookies and abuse authenticated Facebook sessions to steal information from the victim’s Facebook account.

The end goal is to hijack Facebook Business accounts managed by the victims.

The threat actors target individuals with managerial, digital marketing, digital media, and human resources roles in companies. The attackers connected the victims through LinkedIn, some of the samples observed by the experts have been hosted on file or cloud hosting services, such as Dropbox, iCloud, and MediaFire.

DUCKTAIL samples analyzed in the past were written in .NET Core and were compiled using its single file feature.

“Earlier versions (observed by WithSecure Labs) were based on a binary written using .NetCore with Telegram as its C2 Channel to exfiltrate data.” reads the analysis published by Zscaler. “In August 2022, the Zscaler Threatlabz team saw a new campaign consisting of a new edition of the Ducktail Infostealer with new TTPs. Like older versions (.NetCore), the latest version (PHP) also aims to exfiltrate sensitive information related to saved browser credentials, Facebook account information, etc.”

In this campaign, the threat actors employed a new website to host data. The data are stored in JSON format and are used to perform stealing activities. The same host is used to store data stolen from the victims.

Unlike previous Ducktail campaigns, the most recent one is targeting the public at large, rather than specific employees with Admin or Finance access to Facebook Business accounts.

The malware is distributed in .ZIP files hosted on file-sharing platforms (i.e. mediafire[.]com), posing as cracked or free versions of Office applications, games, subtitle files, porn-related files, and others.

In the last campaign the malicious code is a PHP script that launch the code used to steal the data from victims’ browsers, cryptocurrency wallets, and Facebook Business accounts.

The malware achieves persistence by triggering a series of events to execute a malicious payload named “libbridged.exe.”The executable schedules tasks in three forms to ensure that the malicious code gets executed on a daily basis and on regular intervals.

Once executed, the malware scrutinizes the various Facebook pages to steal information from them. The pages analyzed by the malicious code belong to Facebook API graph, Facebook Ads Manager, and Facebook Business accounts. It fetches the unique User ID of the victim machine using the c_user argument.

Looking over Facebook Business Ads Manager links, the malicious code will access details of accounts and payment cycles.

Below is the list of details that the malware attempts to fetch from the Facebook Business pages:

Payment initiated
Payment required
Verification Status
Owner ad accounts
Amount spent
Currency details
Account status
Ads Payment cycle
Funding source
Payment method [ credit card, debit card etc.]
Paypal Payment method [email address]
Owned pages.

“It seems that the threat actors behind the Ducktail stealer campaign are continuously making changes or enhancement in the delivery mechanisms and approach to steal a wide variety of sensitive user and system information targeting users at large.” concludes the report. “Zscaler’s ThreatLabz team is continuously monitoring the campaign and will bring to light any new findings that it will come across.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Ducktail)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.