The Zscaler ThreatLabz research team observed a PHP version of ‘Ducktail’ Infostealer distributed in the form of cracked application installer for a variety of applications including games, Microsoft Office applications, Telegram, and others.
Notably, Ducktail has been active since 2021; experts say it might be operated by Vietnamese threat group. The main target of this attack campaign is to take over Facebook Business accounts.
“Earlier versions (observed by WithSecure Labs) were based on a binary written using .NetCore with Telegram as its C2 Channel to exfiltrate data”, Zscaler
In this case, the malicious installer is being hosted at a file hosting website. While comparing with the previous campaigns, researchers say changes have been made in the execution of malicious code. Also, threat actors have switched to a scripting version whereby the main stealer code is a PHP script and not a .Net binary.
“Upon execution, the fake installer pops-up a ‘Checking Application Compatibility’ GUI in the frontend. In the backend, it generates a .tmp file that re-initiates the installer with “/Silent” parameter and thereafter another .tmp file gets generated”, researchers at Zscaler.
The PHP script consists of code to decrypt a base64 encoded text file. The execution of the decrypted version of the text file will lead to the execution of the custom job scheduling binary as the final result.
Researchers say the stealer code gets decrypted at runtime in memory and then performs stealing operations and exfiltration of data.
Additionally, the malicious script collects information about installed browsers in the system and extracts the essential data from it such as machineID, browser version, and filename, and copies this data.
In this case, the malware examines the various Facebook pages to steal information. These pages belong to Facebook API graph, Facebook Ads Manager, and Facebook Business accounts.
Searching for Facebook Business Ads Manager links, the malicious code will access details of accounts and payment cycles. The malware attempts to obtain the list of details from the Facebook Business pages:
Subsequently, the PHP script tries to connect to the C&C server to get the list of contents stored in JSON format, which further will be used to gather information.
“Ducktail stealer campaign continuously making changes or enhancement in the delivery mechanisms to steal a wide variety of sensitive user and system information targeting users at large,” the researchers said.
Also Read: Download Secure Web Filtering – Free E-book
Researchers identified a PDF exploit targeting Foxit Reader users that uses a design flaw that presents security warnings with a…
Adobe has addressed several critical code execution flaws across a broad spectrum of its products. This move underscores the company's…
Google has issued an urgent security update for its Chrome browser after discovering a zero-day vulnerability that is currently being exploited by attackers. The vulnerability, tracked as CVE-2024-4761, affects the…
Hackers exploit the Windows zero-day vulnerabilities, as they offer great advantages. This means that no patches or defenses exist for…
A court has sentenced the developer of the cryptocurrency mixing service Tornado Cash to over five years in prison. The…
A critical vulnerability has been discovered in Fortinet's FortiOS SSL-VPN and FortiProxy SSL-VPN. The flaw, identified as FG-IR-23-225, allows attackers…