The new campaign called Ducktail is designed to attack Facebook businesses and advertising accounts and seize control. This campaign is part of a cybercriminal operation expected to be a cybercriminal operation that is financially driven.
A Finnish cybersecurity company called WithSecure, previously known as F-Secure Business, gives details in a new report. This report states that the threat actors are targeting individuals and employees who may have access to a Facebook business account with information-stealer malware.
The malware can steal browser cookies and take advantage of authenticated Facebook sessions. It steals information from the victim’s Facebook account and tries to hijack any Facebook business account linked to that account that the victim has sufficient access.
These attacks are traced back to a Vietnamese threat actor, and the attacks began in the latter half of 2021. The main targets are individuals with managerial, digital media, human resources, or digital marketing roles in various companies.
These individuals are being targeted because they are the most likely to have high-level access to the Facebook business accounts linked to these organizations. This Ducktail malware is designed to trick them into downloading Facebook advertising information hosted on MediaFire, Apple iCloud, or Dropbox.
The malware has also been delivered to a few victims through LinkedIn. They are sent archive files containing the malicious payload. Thus, the attacker is able to gain access to the Facebook account open in the same browser.
Usually, information-stealing malware, such as Ducktail, is written in .NET Core. This is binary, engineered to utilize Telegram for command and control and data exfiltration. According to WithSecure, they identified eight telegram channels that were being used for spreading this purpose.
This malware typically scans all the installed browsers, such as Google Chrome, Safari, Microsoft Edge, and Mozilla Firefox. It extracts the access tokens, stored cookies, and the victim’s personal Facebook information, including email, name, address, user ID, and date of birth.