An Infostealer Malware Exploits Social Media Business Accounts of High-Position Individuals
DUCKTAIL, a financially motivated malware variant, specifically aims at individuals and businesses utilizing a Social Media Business/Ads platform. The malware is created by Threat Actors (TAs) originating from Vietnam. Since the second half of 2021, TAs have been actively involved in developing and distributing malware associated with the DUCKTAIL operation.
The malware is specifically designed to extract browser cookies and take advantage of social media sessions to steal sensitive information from the victim’s Social Media account. Ultimately, the malware operation aims to gain control of Social Media Business accounts with adequate access privileges. TAs then use their acquired access to conduct advertisements for their financial gain.
Cyble Research and Intelligence Labs (CRIL) recently encountered malware files specifically targeting Marketing and HR professionals.
The figure below displays the filenames employed during this campaign.
The TA’s strategy involved identifying companies using Social Media’s Business/Ads platform and specifically focusing on individuals in managerial positions within the marketing and HR departments. These individuals held significant access to the Social Media Business platform within their respective organizations, making them prime targets.
The TAs focused on themes related to digital marketing projects, job descriptions, plans for various positions, and policy and salary information associated with companies in the Clothing, Footwear, and Cosmetics industries.
Initial Infection
TAs utilize popular file-sharing services such as Dropbox, Google Drive, and Microsoft OneDrive to host their malware. Their main approach involves employing social engineering tactics to entice victims into downloading and executing the malicious payload.
To initiate the attack, they commonly employ ZIP files to deliver the initial payload. It is important to mention that we only obtained access to the download link and, therefore, cannot confirm the exact method to deliver these links to the intended targets. Considering Ducktail’s past behavior, it is possible that the group also utilizes LinkedIn messages as a distribution method.
The provided Dropbox link leads to downloading a file named “Project Information And Salary Details At AVALON ORGANICS.zip”.
- hxxps[:]//www[.]dropbox[.]com/s/ng04kf3c1x1nya1/Project%20Information%20And%20Salary%20Details%20At%20AVALON%20ORGANICS[.]zip?dl=1
The following image illustrates the contents of a zip archive file, including PNG/JPG images of beauty products and executable files disguised with Word/PDF icons.
The two executable files, namely ‘Performance Marketing Manager Salary and Benefits.exe’ and ‘The role of Performance Marketing Manager.exe’, specifically target Marketing professionals.
These files, known as the “Ducktail” payload, are disguised with Word/PDF icons, employing a deceptive tactic to deceive victims into thinking they are genuine document files.
Technical Details: Ducktail
The DUCKTAIL operation started in late 2021. The samples associated with these operations are coded in the .NET core and compiled as a single executable file containing libraries and files, including the main assembly.
Stealing Information
Upon execution, the malware conducts a comprehensive scan of the victim’s computer, specifically targeting popular browsers such as:
- Google Chrome
- Microsoft Edge
- Brave Browser
- Mozilla Firefox
After identifying the browsers, the malware extracts all stored cookies, including any Social Media session cookies that might be present, from each of them.
Additionally, the malware scans for registry data located in HKLMSOFTWAREWOW6432NodeClientsStartMenuInternet to retrieve each installed browser’s name, path, and icon path.
Hijacking Social Media Business
The malware utilizes the victim’s Social Media session cookie and other obtained security credentials to directly communicate with other Social Media endpoints from the victim’s computer and extracts information from their Social Media account. DUCKTAIL malware also verifies if two-factor authentication (2FA) is mandatory. In such cases, it tries to acquire the recovery codes. In addition to session cookies, the malware can pilfer access tokens, user agents, and IP addresses.
Typically, Ducktail gains unauthorized access to Business accounts by utilizing Social Media accounts linked to individuals’ personal identities. By merging the TA’s email addresses with Social Media Business accounts, the malware gains control over these accounts. It gathers various details, including victims’ names, birthdays, email addresses, and user IDs.
Exfiltration via Telegram
The TAs completely rely on Telegram as their Command and Control (C&C) channel, utilizing the Telegram Bot functionality to exfiltrate the stolen data. DUCKTAIL’s malware component employs Telegram.Bot client library for this purpose.
The provided code snippet below depicts a function that facilitates the uploading of a file to a Telegram chat, utilizing the Telegram Bot functionality.
Finally, the malware also runs an infinite loop in the background, establishing a continuous exfiltration process.
Conclusion
Ducktail is a specifically designed information stealer that can have severe consequences, such as privacy breaches, financial losses, and identity theft. Its constant updates enable it to bypass most Social Media platforms’ security measures, specifically targeting advertising and business accounts. With the ability to hijack Social Media accounts, DUCKTAIL poses a significant threat to user privacy and the overall security of Social Media Business accounts.
CRIL will continue to monitor the latest circulating phishing or malware strains, offering timely blogs that provide actionable intelligence to help users protect themselves against these well-known attacks.
Our Recommendations
- Avoid downloading applications from unknown sources.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Update your passwords periodically.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on employees’ systems.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1204 T1047 T1059 |
User Execution Windows Management Instrumentation Command and Scripting Interpreter |
| Defense Evasion | T1497 T1027 |
Virtualization/Sandbox Evasion Obfuscated Files or Information |
| Credential Access | T1003 | OS Credential Dumping |
| Discovery | T1057 T1012 T1082 T1083 T1518 |
Process Discovery Query Registry System Information Discovery File and Directory Discovery Security Software Discovery |
| Collection | T1006 | Data from Local System |
Indicators Of Compromise
| Indicators | Indicator Type | Description |
| 618072b66529c1a3d8826b2185048790 936139fc7f302e3895f6aea0052864a6cb130c59 2650e6160606af57bd0598c393042f60c65e453f91cde5ecc3d0040a4d91214d |
MD5 SHA1 SHA256 | Project Information And Salary Details At AVALON ORGANICS.zip |
| 691ca596a4bc5f3e77494239fb614093 20f53032749037caa91d4b15030c2f763e66c14e f024e7b619d3d6e5759e9375ad50798eb64d1d4601f22027f51289d32f6dc0ca |
MD5 SHA1 SHA256 | The role of Performance Marketing Manager.exe |
| b4125e56a96e71086467f0938dd6a606 e692a626c6236332bd659abbd4b1479b860bf84a 385600d3fa3b108249273ca5fe77ca4872dee7d26ce8b46fe955047f164888e7 |
MD5 SHA1 SHA256 | Performance Marketing Manager Salary and Benefits.exe |
| hxxps[:]//www[.]dropbox[.]com/s/ng04kf3c1x1nya1/Project%20Information%20And%20Salary%20Details%20At%20AVALON%20ORGANICS[.]zip?dl=1 | URL | Dropbox link to download payload |