New PHP Malware Distributed as Cracked Microsoft Office Apps, Telegram, & Others

The Zscaler ThreatLabz research team observed a PHP version of ‘Ducktail’ Infostealer distributed in the form of cracked application installer for a variety of applications including games, Microsoft Office applications, Telegram, and others.  

Notably, Ducktail has been active since 2021; experts say it might be operated by Vietnamese threat group. The main target of this attack campaign is to take over Facebook Business accounts.

The Attack Chain

“Earlier versions (observed by WithSecure Labs) were based on a binary written using .NetCore with Telegram as its C2 Channel to exfiltrate data”, Zscaler

In this case, the malicious installer is being hosted at a file hosting website. While comparing with the previous campaigns, researchers say changes have been made in the execution of malicious code. Also, threat actors have switched to a scripting version whereby the main stealer code is a PHP script and not a .Net binary.

“Upon execution, the fake installer pops-up a ‘Checking Application Compatibility’ GUI in the frontend. In the backend, it generates a .tmp file that re-initiates the installer with “/Silent” parameter and thereafter another .tmp file gets generated”, researchers at Zscaler.

The PHP script consists of code to decrypt a base64 encoded text file. The execution of the decrypted version of the text file will lead to the execution of the custom job scheduling binary as the final result.

Researchers say the stealer code gets decrypted at runtime in memory and then performs stealing operations and exfiltration of data.

Functionality of the Malware

• Fetches browser information installed in the system.
• Pulls out stored information of browser cookies from the system.
• Targets Facebook Business accounts.
• Looks for crypto account information in the wallet.dat file.
• Collects and sends the data to the command and control (C&C) server.

Additionally, the malicious script collects information about installed browsers in the system and extracts the essential data from it such as machineID, browser version, and filename, and copies this data.

Targeting Facebook Pages to Steal Information

In this case, the malware examines the various Facebook pages to steal information. These pages belong to Facebook API graph, Facebook Ads Manager, and Facebook Business accounts. 

Searching for Facebook Business Ads Manager links, the malicious code will access details of accounts and payment cycles. The malware attempts to obtain the list of details from the Facebook Business pages:

• Payment initiated
• Payment required
• Verification Status
• Owner ad accounts
• Amount spent
• Currency details
• Account status
• Ads Payment cycle
• Funding source
• Payment method [credit card, debit card etc.]
• Paypal Payment method [email address]
• Owned pages.

Subsequently, the PHP script tries to connect to the C&C server to get the list of contents stored in JSON format, which further will be used to gather information.

“Ducktail stealer campaign continuously making changes or enhancement in the delivery mechanisms to steal a wide variety of sensitive user and system information targeting users at large,” the researchers said.

Also Read: Download Secure Web Filtering – Free E-book