Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

New PHP Version of Ducktail Malware Hijacking Facebook Business Accounts

A PHP version of an information-stealing malware called Ducktail has been discovered in the wild being distributed in the form of cracked installers for legitimate apps and games, according to the latest findings from Zscaler.

“Like older versions (.NetCore), the latest version (PHP) also aims to exfiltrate sensitive information related to saved browser credentials, Facebook account information, etc.,” Zscaler ThreatLabz researchers Tarun Dewan and Stuti Chaturvedi said.

Ducktail, which emerged on the threat landscape in late 2021, is attributed to an unnamed Vietnamese threat actor, with the malware primarily designed to hijack Facebook business and advertising accounts.

The financially motivated cybercriminal operation was first documented by Finnish cybersecurity company WithSecure (formerly F-Secure) in late July 2022.

While previous versions of the malware were found to use Telegram as a command-and-control (C2) channel to exfiltrate information, the PHP variant spotted in August 2022 establishes connections to a newly hosted website to store the data in JSON format.

Attack chains observed by Zscaler entail embedding the malware in ZIP archive files hosted on file-sharing services like mediafire[.]com, masquerading as cracked versions of Microsoft Office, games, and porn-related files.

Execution of the installer, in turn, activates a PHP script that ultimately launches the code responsible for stealing and exfiltrating data from web browsers, cryptocurrency wallets, and Facebook Business accounts.

Also, in a sign that the actors behind the malware are expanding their targeting scope, rather than setting their sights only on employees with Admin or Finance access to Facebook Business accounts, the refreshed Ducktail campaign is aimed at the regular Facebook users as well.

“It seems that the threat actors behind the Ducktail stealer campaign are continuously making changes or enhancement in the delivery mechanisms and approach to steal a wide variety of sensitive user and system information targeting users at large,” the researchers said.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related News

New Backdoor Attack Uses Russian-Ukrainian Conflict Phishing Emails

New Backdoor Attack Uses Russian-Ukrainian Conflict Phishing Emails

The primary targets of this phishing campaign are located in the Ukrainian regions of Crimea, Donetsk, and Lugansk, which were…
CyberSecure Announces Strategic Alliance

CyberSecure Announces Strategic Alliance

BETHESDA, Md., March 24, 2023 /PRNewswire/ — Cybersecure IPS and LockDown Inc. jointly announce that they have entered a strategic alliance to…
Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

Researchers from France-based pen-testing firm Synacktiv demonstrated two separate exploits against the Tesla Model 3 this week at the Pwn2Own…