The research team has been analyzing a series of info-stealing malware, and they have recently come across an interesting campaign involving the PHP version of Ducktail Infostealer. This malware is being actively distributed by disguising itself as a free or cracked application installer for popular software, including games, Microsoft Office applications, and Telegram. Ducktail Infostealer, attributed to a Vietnamese threat group, has been active since 2021 and has primarily targeted Facebook Business accounts to manipulate pages and gain access to financial information.
The Ducktail Infostealer instances were first identified in late 2021. In July 2022, researchers observed that the threat actors were specifically targeting higher-level employees with access to Facebook Business accounts to steal data and take control of the accounts. The earlier versions of Ducktail were based on a binary written in .NET Core and utilized Telegram as its command and control (C2) channel for exfiltrating data. However, in August 2022, a new campaign was observed involving a PHP version of Ducktail Infostealer with new tactics, techniques, and procedures (TTPs).
According to an analysis, the threat actors have shifted their focus from targeting specific employees with administrative or financial access to Facebook Business accounts to a broader audience. The malicious executable files are typically in .ZIP format and are hosted on file-sharing platforms, posing as cracked or free versions of popular applications like Office, games, subtitles, and explicit content files. Compared to previous campaigns, changes have been made in the execution of the malicious code. The threat actors now employ a scripting version where the main stealer code is a PHP script instead of a .NET binary.
The execution flow begins with a fake installer that generates a temporary file, which then re-initiates the installer with a “/Silent” parameter. Another temporary file is created, which drops all the supporting files and malicious files at a specific location on the victim’s machine. To achieve persistence, a series of events take place, scheduling tasks to execute the malicious payload, named “libbridged.exe,” daily and at regular intervals.
The stealing of data and its exfiltration are achieved by decrypting the stealer code at runtime in memory. The PHP script performs various actions, such as fetching browser information, extracting stored browser cookies, targeting Facebook Business accounts, searching for cryptocurrency account information in the wallet.dat file, and sending the collected data to the command and control (C&C) server.
The PHP script creates PHP associative arrays to prepare for data transmission to the C&C server. The CURL command is used for sending and receiving files over HTTP, and specific switches are employed during communication.
The script also collects information about installed browsers, retrieves data from the local state file in the Chrome user data directory, decodes sensitive data protected by Chrome’s local data encryption, encodes stolen information to base64, and saves it to log files. It specifically targets Facebook pages, including Facebook API graph, Facebook Ads Manager, and Facebook Business accounts, to gather account details, payment cycles, account statuses, funding sources, and other relevant information.
After completing the data-stealing activities, the PHP script connects to the C&C server to obtain a list of targeted folders and URLs stored in JSON format, which are then used to gather further information. The stolen data is sent to the C&C server in JSON format.
To conclude, the threat actors behind the Ducktail Infostealer campaign are continuously evolving their delivery mechanisms and tactics to steal a wide range of sensitive user and system information, particularly targeting Facebook Business accounts.
Impact
- Sensitive Information Theft
- Credential Theft
Indicators of Compromise
Domain Name
- slmg.online
- roberthalfchro.online
- strongeagle.online
- cakoi2.online
- strongeaglehr.online
- qrispokaslotnew.xyz
- cakoi3.online
- whoyourdaddy.online
- whoyourdaddy1.online
- servicetitan.online
- flashbots.online
- roberthalfhr.online
- recruitmentb2c.online
- roberthalfhr.site
- roberthalfjob.site
MD5
- df4588057abcf11a666891f4edbac6cb
- 7956af4e60ce3cf7b36ca520ab0ea201
- 56ed1dd30e66077ac7c80925df49088f
- 20cb1bff1a4682c5d08521be92cca7d6
SHA-256
- f3015c46ff2103431b383514591e1c1bf348119475c6a183066d3b8f6a896bca
- 9f8e5f98f6ed3f63fb9266fde5f36b3bff242e8ebedbe6130558c65fde8addf7
- 221bbb95675d605597b278756a04acaa66f884f3c570717cb1025cbc7d62130a
- facf9cf0e986ba43f6317457ccb711e45c06e279c08ed4bbafc77c6a5e6d0b60
SHA-1
- 09b88e2314ae1ebab6db6d4e40d68a912a025bee
- 44de6f5007090c84ff00f0b226b3f159dfbb6864
- a1f1e50c8549435d07eafa6162be8a8bb1b078a7
- 906935b089701be4133ca78c7135418d529a0b30
Remediation
- Block all threat indicators at your respective controls. Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Enabling two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
- Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
- Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
- Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that could be exploited by info-stealers and other types of malware.
- Promptly apply security patches and updates for operating systems, software applications, and browsers. This helps to address vulnerabilities that threat actors may exploit to deliver malware.
- Utilize web filtering solutions and URL reputation services to block access to known malicious websites and prevent users from visiting potentially dangerous links, such as those used in Ducktail infostealer campaigns.
- Implement network segmentation to restrict access and isolate critical systems, such as those hosting sensitive financial information or Facebook Business accounts. This prevents lateral movement of malware and limits the impact of a potential compromise.
- Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to quickly respond to and mitigate any potential breaches.
- Maintain regular backups of critical data, including Facebook Business account information, and ensure they are stored securely offline. This enables quick recovery in case of a successful attack or data loss.
Source: https://www.rewterz.com/threat-advisory/an-emerging-ducktail-infostealer-active-iocs-9