A new malware is hijacking high-profile Meta Facebook Business and advertising platform accounts through a phishing campaign that targets LinkedIn accounts. The malware, dubbed Ducktail, uses browser cookies from authenticated user sessions to take over accounts and steal data, researchers said.
Researchers from WithSecure, formerly F-Secure, discovered the ongoing campaign, which appears to be the work of financially driven Vietnamese threat actors, they wrote in a report published Tuesday. The campaign itself appears to have been active since at least the second half of 2021, while the threat actors behind it may have been on the cybercriminal scene since 2018, researchers said.
“The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim’s Facebook account and ultimately hijack any Facebook Business account that the victim has sufficient access to,” researchers wrote in a blog post accompanying the report.Ducktail actors have very specific targets in mind—that is, individuals within companies operating on Facebook’s Business and advertising platform that have high-level access to the account. These include people with managerial, digital marketing, digital media, and human
resources roles in targeted companies, researchers said.
“These tactics would increase the adversary’s chances of compromising the respective Facebook Business all the while flying under the radar,” researchers wrote.
To infiltrate accounts, actors are targeting LinkedIn users with a phishing campaign that lures victims using keywords related to brands, products and project planning into downloading an archive file containing the malware executable alongside related images, documents and video files, researchers reported.
Researchers took a deep dive into the novel malware, which in its latest samples is written exclusively in .NET Core and compiled via its single-file feature, something “not commonly seen in malware,” they noted.
Ducktail operates using six key components once it infects a system. It first does Mutex creation and check to ensure that only a single instance of the malware is running at any given time, researchers said.
A data storage component stores and loads stolen data in a text file in a temporary folder, while a browser-scanning feature scans installed browsers to identify cookie paths for later theft.
Ducktail also has two components dedicated to stealing info from victims, one that’s more general, stealing non-Facebook related information, and another that steals info specifically related to Facebook Business and advertising accounts as well as hijacks those accounts, researchers said.
The first general information-stealing component scans an infected machine for Google Chrome, Microsoft Edge, Brave Browser or Firefox and, for each one it finds, extracts all stored cookies, including any Facebook session cookie.
The component of Ducktail dedicated to extracting data from Facebook Business/Ads accounts directly interacts with various Facebook endpoints—either direct Facebook pages or API endpoints–from the victim’s machine using a stolen Facebook session cookie, researchers said. It also other security credentials obtained from the cookie to extract information from the victim’s Facebook account, they said.
Specific info that the malware steals from Facebook includes: security credentials, personal account identification info, business details and advertising account info.
Ducktail also allows threat actors to take full administration control over Facebook Business accounts, which can give them access to a user’s credit card or other transactional data for financial gain, researchers said.
Telegram C&C and Other Evasion Tricks
A final component of Ducktail exfiltrates data to a Telegram channel used as the threat actors’ command and control (C&C), researchers said. This allows the actor to evade detection by limiting the commands it sends from C&C to the victim’s machine, researchers said.
Moreover, the malware does not establish persistence on a machine, which also allows means it can get in and do its dirty work without alerting the user or flagging Facebook security, researchers said. However, different versions of Ducktail observed by threat actors performed this lack of persistence in various ways, they said.
“Older versions of the malware simply executed, did what they were designed to do, and then exited,” researchers wrote. “Newer versions run an infinite loop in the background that performs exfiltration activities periodically.”
Ducktail also has inherent features in Facebook data-stealing component that is designed to circumvent Meta security features by making any request for data to Facebook entities appear to be coming from the victim’s primary browser. This would make these actions appear benign to Meta security, researchers said.Attackers also can use information such as stolen session cookies, access tokens, 2FA codes, user agents, IP address and geolocation, as well as general account information, to cloak and impersonate the victim, researchers said.