Ducktail Malware Operation Evolves with New Malicious Capabilities

Ducktail Malware Operation Evolves with New Malicious Capabilities

A Vietnam-based hacking operation dubbed “Ducktail” is targeting individuals and companies operating on Facebook’s Ads and Business platform.

Ducktail

Ducktail has been around since 2021, and is attributed to a Vietnamese threat group. Campaigns to-date have focused on taking over Facebook Business accounts, both to manipulate pages and to access financial information.

The malicious activity was first documented by the Finnish cybersecurity company in July 2022. The operation is believed to be underway since the second half of 2021, although evidence points to the threat actor being active as far back as late 2018.

WithSecure has also noted changes to malware features with a more robust method to obtaining attacker-controlled email addresses, as well as making the malware look more legitimate by displaying dummy documents and video files upon launch.

Further, Ducktail has been conducting advanced and continuous defense evasion efforts by changing file format and compilation and countersigning certificates.

The group would have also invested in resource development and operational expansion by setting up other fake businesses in Vietnam and onboarding affiliates into the operation.

The Facebook Business account information collected by the malware, which is signed using digital certificates obtained under the guise of seven different non-existent businesses, is exfiltrated using Telegram.

IOCS

DF071DF2784573C444CA
6E1421E3CB89
2FE1997F5339F97598DA
1FEE5C1201A4
F7C7E9C1CD68602F9BBB
5033B3794E26
8DC37D09F1A77B939A7373
E6134E4824
321442C6546A63E5315EB321
341DFBBA
129a3ff92f28eda3cf830b53f19c
acef

Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!