A Vietnam-based hacking operation dubbed “Ducktail” is targeting individuals and companies operating on Facebook’s Ads and Business platform.
Ducktail has been around since 2021, and is attributed to a Vietnamese threat group. Campaigns to-date have focused on taking over Facebook Business accounts, both to manipulate pages and to access financial information.
The malicious activity was first documented by the Finnish cybersecurity company in July 2022. The operation is believed to be underway since the second half of 2021, although evidence points to the threat actor being active as far back as late 2018.
WithSecure has also noted changes to malware features with a more robust method to obtaining attacker-controlled email addresses, as well as making the malware look more legitimate by displaying dummy documents and video files upon launch.
Further, Ducktail has been conducting advanced and continuous defense evasion efforts by changing file format and compilation and countersigning certificates.
The group would have also invested in resource development and operational expansion by setting up other fake businesses in Vietnam and onboarding affiliates into the operation.
The Facebook Business account information collected by the malware, which is signed using digital certificates obtained under the guise of seven different non-existent businesses, is exfiltrated using Telegram.