Cyber criminals targeting the accounts of social media users with an infostealer malware known as Ducktail are dramatically increasing their activity, and threat actors based out of Vietnam continue to drive the new surge, according to intelligence compiled by WithSecure.
Ducktail first emerged a little over 12 months ago, targeting business accounts on Facebook and spreading via spear-phishing emails against researched targets suspected of having admin privileges on Meta’s business service.
It was generally hosted on public cloud file storage services and delivered as an archive file containing the malware alongside images, documents and video files named using keywords relevant to brand and product marketing, in order to minimise suspicion.
It then stole browser cookies and took advantage of authenticated Facebook sessions to steal the information needed to hijack Meta Business accounts to which the victims likely had access. Having stolen access, it then attempted to escalate its privileges to take over the business account, and thus the victim organisation’s presence across Meta’s various platforms.
“While the incentives are high for businesses to leverage social media for their own benefit, these platforms provide adversaries with different intent and capabilities, with other opportunities,” wrote report author Mohammad Kazem Hassan Nejad.
“The adversarial challenges presented by these platforms are extensive, dynamic, complex, and most importantly, harmful. For instance, nation-state or nation-backed actors may leverage these platforms for reconnaissance, spear-phishing, influence operations, and more. However, other forms of attacks can result in far greater collective damage.”
What’s new?
The latest Ducktail campaign is unfolding in a similar fashion, explained Hassan Nejad, although the lures used by the cyber criminals have changed to some degree, and now incorporate trending topics, such as the growth in popularity of generative artificial intelligence (AI) services such as ChatGPT, and their likely impact on marketers and social media pros.
It has also expanded its delivery mechanisms and victimology, with some lures now centring job opportunities, which they did not do before, exploiting fictional job openings at prominent brands – among them carmaker BMW, cosmetics giant L’Oréal, fashion houses Fendi and Prada and retailers Gap, Mango, Macy’s and Uniqlo – suggesting it is being used against jobseekers and freelancers.
Ultimately, it still steals session cookies and login credentials, and hijacks accounts to run fraudulent advertising using their victim’s money or credit – this process is now automated to some degree, another new feature. In some instances compromised accounts has also been used to extort funds, or write mean things about competitors.
“Leveraging such access to run fraudulent ads using the affected businesses’ existing capabilities, such as attached credit lines, has far more value for financially motivated cyber criminals. Running fraudulent ads enables other threats to take shape and propagate by causing a cascading effect for victims served with fraudulent ads, amplifying the impact beyond the affected business,” wrote Hassan Nejad.
Hassan Nejad said the group behind it was clearly becoming much more sophisticated and mature, and was starting to evolve the malware to bake in features that enable it to evade anti-analysis and detection.
But during the course of his ongoing research on Ducktail, Hassan Nejad has also observed some other significant developments.
Notably, it is now targeting advertising accounts on X, the service formally known as Twitter, using its core functionalities to harvest information such as logged-in user IDs and session cookies from X.
Perhaps of more concern is the emergence of another new malware with significant overlaps with Ducktail, which WithSecure is calling Duckport.
Some capabilities seen as unique to this new malware include an ability to take screenshots, exploiting online note sharing services in its command-and-control chain, and exposing and accessing victim’s machines from the public internet.
WithSecure’s Neeraj Singh who assisted in the research, posited that the involvement of different but similar groups indicates some engagement among different operations in the same space.
“These various groups may be sourcing expertise from a common talent pool, or they could be operating within an information-sharing framework to exchange tools and insights regarding effective strategies,” said Singh.
“Furthermore, the potential involvement of an intermediary offering specialised services akin to the ransomware-as-a-service model cannot be disregarded. However, it’s evident that the space is growing, pointing toward a level of success achieved with these attacks.”