Ducktail information stealer continues to evolve

The operators behind the Ducktail information stealer continue to improve their malicious code, operators experts warn.

In late July 2022, researchers from WithSecure (formerly F-Secure Business) discovered an ongoing operation, named DUCKTAIL, that was targeting individuals and organizations that operate on Facebook’s Business and Ads platform.

Experts attribute the campaign to a Vietnamese financially motivated threat actor which is suspected to be active since 2018.

The threat actors target individuals and employees that may have access to a Facebook Business account, they use an information-stealer malware that steals browser cookies and abuse authenticated Facebook sessions to steal information from the victim’s Facebook account.

The end goal is to hijack Facebook Business accounts managed by the victims.

The threat actors target individuals with managerial, digital marketing, digital media, and human resources roles in companies. The attackers connected the victims through LinkedIn, some of the samples observed by the experts have been hosted on file or cloud hosting services, such as Dropbox, iCloud, and MediaFire.

After a short pause, the DUCKTAIL campaign returned with slight changes in its TTPs.

Starting on September 6, 2022, the researchers detected new samples in-the-wild with a new variant that uses the .NET 7 NativeAOT feature which allows binaries to be compiled natively (ahead-of-time) from .NET code. The format of these binaries is different from the one used by traditional .NET assemblies.

“NativeAOT offers similar benefits to the .NET single-file feature that previous DUCKTAIL variants used for compilation, especially because they can be compiled as a framework independent binary that doesn’t require .NET runtime to be installed on the victim’s machine.” reads the report published by WithSecure.

Between 2nd and 4th October 2022, the security firm discovered new DUCKTAIL samples being submitted to VirusTotal from Vietnam. The samples contained a mixture of old and new DUCKTAIL variant code bases, compiled as self-contained .NET Core 3 Windows binaries, which suggests that the group is shifting to self-contained applications. On October 5, the operators started distributing DUCKTAIL malware to victims as self-contained .NET Core Windows binaries, abandoning NativeAOT and back to using self-contained .NET binaries.

The analysis of the variants written in .NET Core 3 revealed the presence of unused anti-analysis functions that were copied from a GitHub repository. This is yet another indication of the threat actor’s continuous efforts to evade analysis and detection mechanisms

WithSecure observed several multi-stage subvariants of DUCKTAIL that are used to deliver the final payload, the researchers highlighted that this is the primary information stealer malware in all cases.

“The malware still relies on Telegram as its C&C channel. At the time of writing, three active Telegram bots and channels were observed in the latest campaign, with the threat actor re-using the same Telegram chats that were initially discovered, indicating that only the bots (and access tokens) were refreshed with stricter administrator rights” concludes the report. “An interesting shift that was observed with the latest campaign is that [the Telegram command-and-control] channels now include multiple administrator accounts, indicating that the adversary may be running an affiliate program.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, DUCKTAIL)

[adrotate banner=”5″]

[adrotate banner=”13″]