Facebook business and advertising accounts are at the receiving end of an ongoing campaign dubbed Ducktail designed to seize control as part of a financially driven cybercriminal operation.
“The threat actor targets individuals and employees that may have access to a Facebook Business account with an information-stealer malware,” Finnish cybersecurity company WithSecure (formerly F-Secure Business) said in a new report.
“The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim’s Facebook account and ultimately hijack any Facebook Business account that the victim has sufficient access to.”
The attacks, attributed to a Vietnamese threat actor, are said to have begun in the latter half of 2021, with primary targets being individuals with managerial, digital marketing, digital media, and human resources roles in companies.
The idea is to target employees with high-level access to Facebook Business accounts associated with their organizations, tricking them into downloading supposed Facebook advertising information hosted on Dropbox, Apple iCloud, and MediaFire.
In some cases, the archive file containing the malicious payload is also delivered to victims through LinkedIn, ultimately allowing the attacker to take over any Facebook Business account.
An information-stealing malware written in .NET Core, the binary is engineered to use Telegram for command-and-control and data exfiltration. WithSecure said it identified eight Telegram channels that were used for this purpose.
It works by scanning for installed browsers such as Google Chrome, Microsoft Edge, Brave Browser, and Mozilla Firefox to extract all the stored cookies and access tokens, alongside stealing information from the victim’s personal Facebook account such as name, email address, date of birth, and user ID.
Also plundered are data from businesses and ad accounts connected to the victim’s personal account, allowing the adversary to hijack the accounts by adding an actor-controlled email address retrieved from the Telegram channel and grant themselves Admin and Finance editor access.
While users with Admin roles have full control over the Facebook Business account, users with Finance editor permissions can edit business credit card information and financial details like transactions, invoices, account spend, and payment methods.
Telemetry data gathered by WithSecure shows a global targeting pattern spanning a number of countries, including the Philippines, India, Saudi Arabia, Italy, Germany, Sweden, and Finland.
That said, the company noted it was “unable to determine the success, or lack thereof” of the Ducktail campaign, adding it couldn’t establish how many users have potentially been affected by the spear-phishing operation.
Facebook Business administrators are advised to review their access permissions and remove any unknown users to secure the accounts.
The findings are yet another indicator of how bad actors are increasingly banking on legitimate messaging apps like Discord and Telegram, abusing their automation features to propagate malware or meet their operational goals.
“Primarily used in conjunction with information stealers, cybercriminals have found ways to use these platforms to host, distribute, and execute various functions that ultimately allow them to steal credentials or other information from unsuspecting users,” Intel 471 said Tuesday.