Ducktail, a known phishing campaign that hijacks Facebook accounts running advertising campaigns for businesses, is now distributing a brand new infostealer malware.
According to researchers at according to Zscaler, Ducktail previously used LinkedIn to distribute a piece of malware written in .NET Core that would steal Facebook Business account data stored in a web browser and exfiltrate it into a private Telegram channel which acted as the malware’s command & control server (C2), communicating with target systems to coordinate cyberattacks.
Now, however, Ducktail has been spotted distributing a new malware variant that can not only steal Facebook-adjacent data, but also other sensitive data stored in browsers, such as data related to cryptocurrency wallets, account information, and basic system data.
Stealing browser data
The C2 has also been changed - the data no longer goes to a Telegram channel, but rather to a JSON website that also stores account tokens and other data needed for on-device fraud.
Zscaler also claimed that the malware is being shared as an archive file uploaded to a legitimate file hosting service. The attackers, they say, made sure that the malware doesn’t get flagged by antivirus software by only loading in memory.
Users can mitigate the damage caused by Ducktail and other malware by switching to an anonymous browser, or simply making sure not to save sensitive information in their browser of choice.
This is especially important because, if malware compromises an endpoint with a Facebook Business account, they may search for additional sensitive financial details such as PayPal data. This includes amounts spent on certain purchases, verification statuses, and more.
In most cases, attackers using malware try to trick people into downloading it by presenting it as movie subtitle files, adult content, or cracks for illegitimate software.
While it’s true that Ducktail’s new infostealer could be evading antivirus software, software that comes with in-built web protection could still be of help against it by blocking access to suspicious sites that may be carrying it.
- Here's our rundown of the best ID theft protection right now